How does Application Level Firewall work?

I'm a bit confused about OS X Mountain Lion's Application Level Firewall.

I have enabled ALF (Application Level Firewall) in Settings -> Secuity & Privacy -> Firewall and have some rules for some applications in it and those rules are stored by ALF in /usr/libexec/ApplicationFirewall/com.apple.alf.plist

But it seems that ipfw is disabled (no /etc/ipfilter) and sudo ipfw list is 65535 allow ip from any to any. pf is also disabled.

So I do not understand how ALF works. If ALF does not use the known legacy firewall applications, how does it do what it does? What does it use for a backend or is it a totally separate application that does not deal with ipfw or pf?

Solution 1:

ALF uses a process called Firewall. The rules list you are looking for exists under: /usr/libexec/ApplicationFirewall/com.apple.alf.plist

Additionally, any changes made on a per user basis, is made to ~/Library/Preferences/com.apple.alf.plist.

If you navigate to /usr/libexec/ApplicationFirewall/, you will also see the Firewall and socketfilterfw processes, which supply the backend and configuration manager (respectively) for ALF.

You can read more about Apple's in-house firewall here: http://krypted.com/tag/socketfilterfw/

Solution 2:

See OS X Server: About the Firewall service.

Although the topic is about OS X Server, the last paragraph says:

Additional Information
The ipfw command is deprecated in Mountain Lion. If you want to manually configure Firewall rules, use the pfctl binary for forward compatibility. For instructions, see man pfctl.