Activating/Deactivating Firewall ports automatically
What the topic says. Anyone know of a good way through Applescript/Automator to disable/enable Firewall ports defined in the Firewall setup? The aim is to just have to double-click an app, instead of going to system preferences, go to sharing, click firewall, authenticate, click the corresponding port, etc, etc...
Ideally this behaviour should be triggered by the opening/closing of the applications that use these ports, but I know that's a long shot, so...
Anyone?
Ideally this behaviour should be triggered by the opening/closing of the applications that use these ports, but I know that's a long shot, so...
Anyone?
Comments
Originally posted by Whyatt Thrash
What the topic says. Anyone know of a good way through Applescript/Automator to disable/enable Firewall ports defined in the Firewall setup? The aim is to just have to double-click an app, instead of going to system preferences, go to sharing, click firewall, authenticate, click the corresponding port, etc, etc...
Ideally this behaviour should be triggered by the opening/closing of the applications that use these ports, but I know that's a long shot, so...
Anyone?
I just checked the Sharing Prefpane with UI Browser and it looks as though it can be done with GUI Scripting.
Try this and see if it works for you:
1. Select (highlight) the 3 lines below and choose "Make New AppleScript" from Safari's Safari->Services->Script Editor menu.
2. Open System Preferences to its default (Show All) page.
3. Switch to the Script Editor, with System Prefs still visible, and click the Run button.
4. System Preferences should switch to the Sharing pane.
5. If this works, we can proceed with the script.
Script: highlight the three lines below (or copy and paste into Script Editor if you prefer)
tell application "System Preferences"
\tset current pane to pane "com.apple.preferences.sharing"
end tell
There is not a good way to intercept launching of an app and do stuff before it launches - the only way is to make a script that both does the firewall setting and then launches the app.
So for app A which needs port X opened before it runs, you would have an AppleScript that calls "do shell script" to make the ipfw call, then launches app A. (This is the Apple recommended way of executing a shell script because double-clicking the shell script file itself will launch Terminal).
There is still the problem of closing the firewall port after app A has quit. I could not find a way using launchd to intercept the Quit event to an app. I will keep looking.
Now, I get two problems. after running the command, when opening the system preferences, the change doesn't show up in the Firewall in the GUI, plus the firewall tells me "You can't make changes to the Firewall since you have other Firewall software running."
Kindof weird. Some help, please?
Originally posted by lundy
tell application "System Preferences"
\tset current pane to pane "com.apple.preferences.sharing"
end tell
This works fine
The script looks something like this:
do shell script "sudo ipfw delete {rule id}"
do shell script "sudo ipfw add {rule id} allow tcp from any to any dst-port {port number} in"
tell application "Finder"
activate
open application file "{Application name}" of folder "Applications" of startup disk
end tell
But since I have various applications, I thought of perhaps a better way. I could make an applescript that checks to see if certain applications are running, and based on if they're running or not, it adds/deletes the corresponding ipfw rules. So that whenever I run/quit any of these apps, I just run this applescript and the firewall gets properly configured.
So now I did something like this:
do shell script "sudo ipfw delete 02070"
tell application "System Events"
set appsrunning to the name of every process
end tell
if "{Application name}" is in appsrunning then
do shell script "sudo ipfw add 02070 allow tcp from any to any dst-port {port number} in"
end if
Now, the problem is that if the firewall rule doesn't exist, I get an error message at "sudo ipfw delete 02070".
I've seen ways before that through the terminal you can run an app, read the result, and run scripts based on the result. But I don't remember how exactly. Something like if (grep "sudo ipfw show 02070" != "No rule configured") { run "sudo ipfw delete 02070" } .
Anyonw know the exact syntax?
#!/bin/bash
function psapp() {
ps -ax | grep -i "$1" | grep -i -v -q "grep.-i.$1"
}
function addrule () {
sudo ipfw -q delete "$2"
if psapp "$1"; then
sudo ipfw -q add $2 allow tcp from any to any dst-port $3 in
echo "***$1 port activated ($3)***"
else
echo "---$1 port deactivated ($3)---"
fi
}
addrule "{Application name}" "{ruleid}" "{port number}"
So far so good. The script checks for the application name, creates/deletes the corresponding rules, and outputs the results.
Now, I created an automator action that launches the application, and then calls the bash script "sudo configfw". Only problem is, automator won't let me authenticate the "sudo" command, so none of the commands are being executed. I don't even get an error message.
Is it even possible running a "sudo" bash script through automator or applescript?
Originally posted by r3dx0r
i found a hint at macosxhints.com which might help. it's an automator action (using applescript) to start a postfix server via terminal.app. apparently you can authenticate sudo scripts if you don't mind having your admin password in cleartext in an applescript file.
Yes, that is the only way, without getting into actually calling into the authentication framework.
In an AppleScript, you would code
do shell script"xxxxxxxxxxxxxxx" with administrator privileges username "yyyyyy" password "zzzzzzz"
do shell script "sudo /usr/local/bin/configfw" user name "admin" password "xxxxxx"
with administrator priveleges
Works like a charm, and it's now sitting in my Dock! Wonderful, thanks everyone!
Just try it out. Any problems, post back here.
1. Go to the Firewall in system preferences, and activate the firewall ports you want to activate dynamically
2. Go to the terminal, and type "sudo ipfw list". Take not of the ID numbers of the rules that concern these ports, it's the first column on the left.
3. Type "cd /usr/local/bin", followed by "sudo pico configfw"
4. Paste the following script:
#!/bin/bash
function psapp() {
ps -ax | grep -i "$1" | grep -i -v -q "grep.-i.$1"
}
function addrule () {
sudo ipfw -q delete "$2"
if psapp "$1"; then
sudo ipfw -q add $2 allow tcp from any to any dst-port $3 in
echo "***$1 port activated ($3)***"
else
echo "---$1 port deactivated ($3)---"
fi
}
addrule "Applicationname" "ruleid" "portnumber"
5. In the "addrule" line, substitute "Applicationname" with the name of the application, "ruleid" with the number of the rule you noted in step 2, "portnumber" with the corresponding port number(s).
6. Repeat adding the "addrule" line for each of the applications.
7. Type control-X, "Y", Enter.
8 Type "sudo chmod u+x configfw"
9. Open up script editor, paste the following code (adding the username and password of an admin user)
do shell script "sudo /usr/local/bin/configfw" user name "yourusername"
password "xxxxxx" with administrator priveleges
10. Save the script as an application, and put it where you want it.
Done! The ports will now be configured automatically for each of the applications that has an "addrule" line in "configfw" every time you run the applescript.
To confirm that it works, disable the ports in system preferences, then run one of the applications, run the applescript and do "sudo ipfw list" in the terminal. The rule for the application should show up in the ipfw configuration. To see the script in action, with output and all, just do "sudo configfw" in the Terminal.
Originally posted by Whyatt Thrash
Instructions:
1. Go to the Firewall in system preferences,
(...)
, just do "sudo configfw" in the Terminal.
Well, thank you, i am not sure about if there
is a real need to perform all this on my box.
I was just curious about, because i thought
it would be a lot smarter, ...
best