Jamf Nation Community

malroy · ‎07-05-2014

Hi All,

I am having issue with adding applications into the exception rules in Maverick 10.9.3's and above (10.9.4)'s Application Firewall.
Maverick 10.9.2 has no issue with adding applications into the exception rule.

The issue is,

The application will be listed in the Security & Privacy panel and has the "Allow Incoming Traffic" rules. In the GUI , it look everything in order, but When you launch a specific application, The prompt will appear "Do you want the application "myapp.app" to accept incoming network connections. Click "Deny" or Allow see reference on the prompt window [http://i.stack.imgur.com/5x54f.png]

It shouldn't has appeared as i run a script to add the application into the exception list. This issue only occur after the release of 10.9.3.

I am wondering if anyone out there has encounter this issue ? or does anyone has a solution to add application that need to have incoming
network connection to be allowed in ?

Script used during casping imaging at Reboot

#Turn off Firewall
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

#Delete Firewall rules
rm /Library/Preferences/com.apple.alf.plist

# Add Applications exception to the application firewall
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/MyApp.app/Contents/MacOS/myapp

To start the firewall:
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

blinvisible · ‎08-08-2014

I'm seeing this under 10.9.4 with DeployStudio. Looks like it happens with unsigned binaries -- even if you set them to "Allow," if they're unsigned they won't receive network traffic until manually stopped and started again, at which point you'll get the Allow/Deny prompt. Click Allow and it'll work... until the next reboot, where you'll have to go through that process again.

I haven't come up with a solution yet, other than asking the developer to sign their app. =/ You used to be able to use socketfilterfw to sign the binary yourself (as suggested in this thread) but it appears the '-s' flag no longer exists in the Mavericks version of socketfilterfw:

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw -h
usage: /usr/libexec/ApplicationFirewall/socketfilterfw [-c] [-w] [-d] [-l] [-T] [-U] [-B] [-L] [-a listen or accept] [-p pid to write] [--getglobalstate] [--setglobalstate on | off] [--getblockall] [--setblockall on | off] [--listapps] [--getappblocked <path>] [--blockapp <path>] [--unblockapp <path>] [--add <path>] [--remove <path>] [--getallowsigned] [--setallowsigned] [--getstealthmode] [--setstealthmode on | off] [--getloggingmode] [--setloggingmode on | off] [--getloggingopt] [--setloggingopt throttled | brief | detail] 
firewallapp is used to control Application Firewall socket filter.
The command takes the following options that are evaluated in order, 
and several options may be combined:
 -h        display this help and exit
 -i        dump socket filter internal data info
 -d        turn on debugging
 -l        do logging and run in daemon mode
 -k        kill daemon
 -a        ask when listen or accept, ask "accept" or ask "listen"
 -c        check file
 --getglobalstate                display if the firewall is enabled or not
 --setglobalstate on | off       turn the firewall on or off
 --getblockall                   show whether block all is enabled or not
 --setblockall on | off          enable or disable block all option
 --listapps                      display a list of paths of added applications
 --getappblocked <path>          show whether connections are blocked or not for
                                 the application at <path>
 --blockapp <path>               block the application at <path>
 --unblockapp <path>             unblock the application at <path>
 --add <path>                    add the application at <path> to the firewall
 --remove <path>                 remove the application at <path> from the
                                 firewall
 --getallowsigned                show whether signed applications are to
                                 automatically receive incoming connections
 --setallowsigned on | off       set whether signed applications are to
                                 automatically receive incoming connections or not
 --getstealthmode                show whether stealth mode is on or not
 --setstealthmode on | off       set stealth mode on or off
 --getloggingmode                show whether logging is on or not
 --setloggingmode on | off       set logging to on or off
 --getloggingopt                 show logging option
 --setloggingopt throttled |     set logging option
                     brief |
                    detail

It might work by unchecking "Automatically Allow Signed Software" and then manually setting Allow/Block privileges, but you'd then have to do that for EVERY network-utilizing process and that will quickly get cumbersome.

cdev · ‎08-28-2014

Have you gotten any further with this? I'm attempting to pass firewall rules for a couple of applications and am running into the same issue – despite the GUI showing all traffic is allowed, the application still prompts for firewall access at launch under Mavericks.

malroy · ‎09-12-2014

as @blimvisible has mentioned, and i tested it as well. The root cause of it that the vendor of the software has to sign the application properly . socketfilterfw refuse to sign it since 10.9.4 .

The only solution is to get the vendor to sign it or you sign it yourself.

blinvisible · ‎10-23-2014

Alternately, disable the Application-layer firewall entirely and get cozy with the OS X-included 'pf' packet filter firewall, which will allow you to allow or restrict traffic based on all kinds of conditions (port ranges, IP source/destination ranges, protocols, TCP flags, etc.)... though first you may want to type 'man pf.conf' at a command prompt to get an idea of what you'd be getting yourself into if you went down that road.

Jamf Nation Community

Firewall Issue on 10.9.3 and above