Firewall – How to Setup the Adaptive Firewall on macOS

firewallmacosserver.app

I have followed this link: Turn on the adaptive firewall in macOS Server

and I get this output, but I don't know if I have indeed activated the adaptive firewall:

No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
Token : 13540967312582709951
No ALTQ support in kernel
ALTQ related functions disabled

I want to let the adaptive firewall automatically add users with several failed attempts to login.

I have successfully added a certain IP to the firewall blacklist, but I was unable to see it at hb_summary, don't know if it is supposed to show manually added IP's there. And it was not adding automatically when I supposedly turned it on.

There was a brute force attack at my IMAPs port, and my adaptive firewall was not adding that IP in the blacklist. Only postfix was dealing with it by doing a fatal error because of too many errors and the program terminated, but it was just for a very short period of time.

Server specs:

  • Server.app 3.2.2
  • Mac OS X 10.9.5

Best Answer

After diving into the Adaptive Firewall once more I got the impression that the whole system is flawed and the documentation is a mess.

The command .../hb_summary apparently doesn't work at all because it seems to rely on the file /private/var/db/af/blockedHosts getting populated by ipfw which isn't activated in 10.9 (and wouldn't work with the 400.AdaptiveFirewall anchor). pf doesn't use the file blockedHosts at all.

The best you can do is the following:

  • Enable the Adaptive Firewall service

    sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serverctl enable service=com.apple.afctl

  • Populate the whitelist with

    sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -c

  • Define max bad auth attempts (e.g. 3) and ban time (e.g. 60 minutes)

    sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -T 3
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -H 60

    This will modify the file /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules/AdaptiveFirewall.plist.

    Check the mod with:

    sudo grep -m 2 -A 4 hostBlockThreshold /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules/AdaptiveFirewall.plist
  • Relaunch emond: sudo killall emond

  • Add known bad hosts for a long time:

    sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 104.16.35.178 -t 1000000

    (Please be aware of the y2038 problem). This will modify the file /private/var/db/af/blacklist. Hosts added here usually don't survive a reboot.

  • Start af with sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

  • To get blocked hosts enter:

    sudo pfctl -a com.apple/400.AdaptiveFirewall -t blockedHosts -T show -vvv

    To get pf's state enter sudo pfctl -s all.

This is tested with hostile ssh and openssl s_client -connect imapserver_ip:993 login attempts.

After a reboot the .../afctl -f command will start pf and af but in at least one of two cases it doesn't block hostile login attempts though it's announced in the log file.

Improvements:

After modifying the keys debugLevel and logEvents in the file /etc/emond.d/emond.plist,:

    ...
    <key>debugLevel</key>
    <integer>3</integer>
    ...
    <key>logEvents</key>
    <true/>
    ...

creating the file /System/Library/LaunchDaemons/com.apple.afctl_boot.plist with the content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>com.apple.afctl_boot</string>
    <key>Program</key>
    <string>/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl</string>
        <string>-f</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

and loading it with:

sudo launchctl load /System/Library/LaunchDaemons/com.apple.afctl_boot.plist

it seems to work more reliably. The Adaptive Firewall will be loaded at boot time. No further afctl launch command is required!

Related Question