macOS – How to Open Firewall from Terminal

command linefirewallmacos

I am developing a go app on a server(mac-mini) where I connect via ssh. I restart the app many times: go run main.go

Problem is, that I dont have access to the graphical ui – "Firewall Options…".

I really like to have the firewall on for security reason and poke minimal holes in it only when needed.

Is there any way to set and allow a port to be open, for incoming connections from the terminal?

Best Answer

Configure the firewall to be permissible for selected applications and services.
To turn the firewall on for specific applications/services :
```
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1
```
https://raymii.org/s/snippets/OS_X_-_Turn_firewall_on_or_off_from_the_command_line.html

Reboot for the change to take effect.
/usr/libexec/ApplicationFirewall/socketfilterfw allows you to configure applications through the firewall. The tool provides its own help and documentation.

For example, to grant an application incoming connections, you can use
```
./socketfilterfw -t "/Applications/Foo.app/Contents/MacOS/Foo"
```

Related Solutions

MacOS – Configure ipfw to filter by ip range

Although you seem fine handling the command line, on OS X it is best to use the Server Admin Tools (like @lupincho suggested). But how can you use the Server Admin Tools GUI when you only have terminal acces?

You can run the Server Admin Tools app from another mac, this will allow you to login on a remote server and change it's settings. If you do not have a spare mac with the Server Admin Tools installed, you can do the following:

SSH into your remote OS X machine with an administrator’s log in and password.
Enable Remote Desktop (a.k.a. Screen Sharing, a.k.a. VNC) with this command:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw mypasswd -restart -agent -privs -all

3) Login using a VNC client (such as TightVNC). Your password is "mypasswd" (see the -vncpw flag in the above command; you can — and should — change this).

Now you can open the Server Admin Tools and do your thing.

4) When you are done, turn of screen sharing using your SSH session:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off

OS X Server – Remote HTTP Connections Ignored but Local Accepted

OS X actually has (at least) 3 firewalls. Since you've turned off the application firewall (in System Preferences -> Security & Privacy -> Firewall) and checked the Berkeley packet filter (pfctl -sa), I'm guessing it's the old ipfw that's doing the blocking. You can check with sudo ipfw show -- that'll list the active rules, along with counts of how many packets and bytes each one has applied to:

$ sudo ipfw show
01000 19228642 23229993542 allow ip from any to any via lo0
01010        0           0 deny ip from any to 127.0.0.0/8
[etc...]
65534    23505     3467352 deny ip from any to any
65535        0           0 allow ip from any to any

If your listing only shows rule #65535 (the allow rule at the end), my guess is wrong and you have to look elsewhere. If it does show other rules, you probably have a third-party firewall config program installed somewhere (I don't think the Apple-supplied ipfw config software is still there in 10.8); take a look in /Library/StartupItems and /Library/LaunchDaemons for things that might be relevant.

Best Answer

Related Solutions

MacOS – Configure ipfw to filter by ip range

OS X Server – Remote HTTP Connections Ignored but Local Accepted

Related Question