MacOS – How to debug macOS firewall? My application layer firewall (ALF) is not logging or blocking

catalinafirewalllaunchdmacos

macOS firewall (alf) socketfilterfw doesn't seem to be running properly on macOS catalina 10.15.2 …

Any ideas on how to troubleshoot / debug the built-in macOS application layer firewall?

Best Answer

Check ALF launch daemon is running

$ sudo launchctl list | grep alf
275 0   com.apple.alf


$ ps -ax | grep socketfilterfw
0   529   0:00.01 /usr/libexec/ApplicationFirewall/socketfilterfw

have restarted a few times and reloaded launchdaeamons with launchctl unload and load with:

unload firewall for editing

$ sudo launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
$ sudo pkill -HUP socketfilterfw

load firewall

$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
$ sudo launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist

console.log

socketfilterfw  setting fw.verbose fails
socketfilterfw  cannot open file at line 43353 of [378230ae7f]
socketfilterfw  os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory

system.log

com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.pid.socketfilterfw.467): - -Failed to bootstrap path: path = /usr/libexec/ApplicationFirewall/socketfilterfw, error = 108: Invalid path

socketfilterfw config

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
Firewall is enabled. (State = 2) 

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getloggingopt
Log Option is brief 

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall
Firewall is set to block all non-essential incoming connections 

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned
Automatically allow built-in signed software DISABLED

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode
Stealth mode enabled

viewing alf.log and appfirewall.log -- empty

$ cat "/private/var/log/appfirewall.log" | wc -l
0
$ cat "/private/var/log/alf.log" | wc -l
0

running /usr/libexec/ApplicationFirewall/socketfilterfw manually

sudo /usr/libexec/ApplicationFirewall/socketfilterfw -l (-l for "Do logging and run in daemon mode." )
The value of the token is 15675822025110658885 

kill running FW

Changetrustmode sw_msg_hdr len: 8 type: changetrustmode (13)

BLOCKALLSYSTEMWISE 

WriteRules sw_msg_hdr len: 88 type: proc_rules (1)  proc_name:  proc_id: 0 rule_type: 7 rules: tc: 0x1010 tl: 0x100 tb: 0x100 uc: 0x1010 ub: 0x100
TRUSTEDAPPS httpd

WriteRules sw_msg_hdr len: 88 type: proc_rules (1)
 proc_name: httpd proc_id: 0 rule_type: 2 rules: tc: 0x11 tl: 0x100 tb: 0x100 uc: 0x11 ub: 0x100

.
.
.

ALF: total number of exceptions = 9
ALF app_paths = 0x53600650 app_bundleid = 0x0
ALF: insert bundleid 0x0 alias 0x0 path /usr/libexec/configd to list
ALF app_paths = 0x536007c0 app_bundleid = 0x0
ALF: insert bundleid 0x0 alias 0x0 path /usr/sbin/mDNSResponder to list
ALF app_paths = 0x53600830 app_bundleid = 0x0
ALF: insert bundleid 0x0 alias 0x0 path /usr/sbin/racoon to list
ALF app_paths = 0x536008a0 app_bundleid = 0x0
.
.
.
ALF: total number of explicits = 7
Changelogmode sw_msg_hdr len: 8 type: changelogmode (12)  flag: 0x1
Changelogopt sw_msg_hdr len: 8 type: changelogopt (15)
Adding SCDynamicStoreCreateRunLoopSource to runloop
alfCallback name = com.apple.alf object = FirewallDaemonstarted
zsh: killed     sudo /usr/libexec/ApplicationFirewall/socketfilterfw -l
Related Question