Built in firewall issues after using Brickhouse

[Rhino_G3]

After configuring the built in firewall using brickhouse I now can't make any alterations through the control panel. It's still running beautifully, I'm just unable to make any changes. I can see what services that I have blocked off but am unable to make any changes

I did this to block off ports that Office v.X use. I don't like the idea of MS opening up ports on my machine.

Does anybody have any reason why this would be? Both brickhouse and the pref pane edit the same .conf file. Right? I don't know what else brickhouse may have changed.

 

[bbloke]

Hi Rhino_G3,

I'm sorry I don't know the answer to your situation, but I can propose a few ideas and I think your post raises a few interesting questions that I was thinking of posting myself (but hadn't figured out which forum was most appropriate!).

Just to make sure I have this straight, am I right in thinking you were using 10.2's firewall feature in the System Preferences first, you then installed and used BrickHouse, and now you can't use the System Preference access to the firewall anymore?

I'm sitting in front of a Windows XP box at work, so I have to reply to this entirely from memory, rather than being able to "play" with OS X at the moment! I had posted a question earlier on the Darwin forum about whether or not Apple's firewall uses "ipfw" (as BrickHouse does) or a different method, but did not get a reply. I would be interested to know the answer to this, as I could not see ipfw running when I tried "top," though my firewall was definitely on; I thought ipfw always showed up under 10.1.x when I used BrickHouse but my memory could be wrong!

I couldn't figure out which configuration file Apple's firewall is using, but there is an extension that seems to be involved. This got me thinking it might not be ipfw, but I don't know...

So it would be useful to know whether BrickHouse and 10.2's firewall are trying to both trying to configure the same file. I guess my "answer" to your post would be:

1) check that no file permissions are causing trouble (but this assumes you know where the cconfiguration file is!); for instance, has running BrickHouse modified any permissions?

2) could it be that they both try to run the same filter and so one cannot make any changes while the other is running?

3) do you have to stop 10.2's firewall to make any changes that will be taken into effect when you restart it?

4) have you got the latest version of BrickHouse which is 10.2 compatible?


I'm in two minds about whether to use Apple's setup or whether to install another bit of firewall software, as BrickHouse gives you more details (such as logs). I hope this might be of help in some way, but I'd certainly like to see more discussion of this sort of issue!

 

[Rhino_G3]

Ahhh, I think you may be on to something. I was under the impression that apple was using ipfw for firewall support.

I never did use the firewall from the control panel but the option was there. Now that I've configured using brickhouse all the options are greyed out. It says something about another firewall already in use.

To answer your questions, 1.) brickhouse didn't change any permissions, 2.) I think this may be part of the problem, 3.) I can have the default firewall running and then start brickhouse... but not the other way around, 4.) Yep, I do have the latest version of brickhouse.

I'll do some research trying to find if they both use ipfw or if apple is using something else. Thanks for the help!

 

[bbloke]

Hi again,

Glad my reply was of some use after all!




What you say is intriguing. I'd like to get to the bottom of this, as it seems to be an issue that has been strangely left uninvestigated.

So 10.2's firewall says another firewall is in use if you use BrickHouse first? That seems to therefore be the cause of the problems you are experiencing.

With regards to your answer to 3), it is interesting that the order of starting up the firewalls matters. I wonder if BrickHouse can somehow override 10.2's firewall but not vice versa, whether it involves using separate preferences for the same process and essentially restarting it or actually shutting one process down and starting a new, enitrely different one.

Could you try running BrickHouse (first) and then running "top" to see if ipfw shows up? If it does, try then deactivating BrickHouse's firewall and use 10.2's built-in firewall, run "top," and see if "ipfw" is there; I bet it won't be. As I mentioned, the fact that a firewall extension is there bothers me as it sounds as though Darwin's built-in feature is left unused. I could be wrong here as I'm not yet sure what is going on and I've only just begun to look into it. A little detective work is in order!

 

[bbloke]

I sent an E-Mail to Brian Hill, author of BrickHouse, asking about how Apple's firewall and BrickHouse work. His reply was informative, so I thought I'd pass on the details!

With regards to whether both use ipfw:
"IPFW is a command line tool (at /sbin/ipfw) that is used to configure the built-in firewall kernel extension (IPFirewall.kext). They both use it."

In answer to why ipfw is not visible in "top:"
"The ipfw tool just runs when you are setting the configuration and quits. The actual firewall is built into the kernel, so it's always running (but you won't see it with top)."

With respect to configuration:
"I *think* the built in firewall pref pane probably stores the configuration in the SystemConfiguration database files here: /var/db/SystemConfiguration.

When BrickHouse generates a configuration, it also stores information there, but the 'actual' firewall filter file that's sent to ipfw is at /etc/firewall.conf. This is over-written when you click Apply or Install, however. This file is also used during startup when called from the /Library/StartupItems/Firewall/Firewall startup script.

One way you can see the current firewall configuration directly is via BrickHouse's 'Monitor' window. It pulls the actual current filters out of the kernel and lists them, no matter if BrickHouse put them there or not.

Another way is with the ipfw tool in Terminal, like this:
sudo ipfw show"


It was very good of him to give such an informative response!