Automatically Load OS X Firewall Settings When Your Location Changes

Recently I changed my custom IPFW firewall settings on my laptop, making them specific for home and work networks, switching between wireless and ethernet. The problem was I needed to figure out how to reload the firewall script whenever the state of the network changed.

It turns out that Darwin has a special way to handle this. It uses a daemon called configd to monitor the state of the various services running. configd uses XML files located in /System/Library/SystemConfiguration/ to manage its configuration.

The file that we are looking for is Kicker.xml located in the /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/ directory. This file has several dictionary entries that control what happens when configd encounters various state changes.

The entry seems to consist of a command key, a privilege key, a state key and a name key:

     <dict>
              <key>execCommand</key>
              <string>/etc/rc.firewall</string>
              <key>execUID</key>
              <integer>0</integer>
              <key>keys</key>
              <array>
                      <string>State:/Network/Global/IPv4</string>
              </array>
              <key>name</key>
              <string>restart-firewall</string>
      </dict>

So basically execCommand tells it to execute /etc/rc.firewall (the firewall script) with an execUID of 0 (root) whenever the state of IPv4 networking changes. So now whenever I change my Location under System Preferences it will automatically load the appropriate firewall setting for the active interface.

HUPing configd didn’t reload the configuration, I had to restart the box to get the changes to take effect. If you are going to mess with these files always make a backup, and there is no guarantee the a system update won’t overwrite these files. I wasn’t able to find documentation on this other than man configd. It was mostly poking around and some googling, so take it for what it is worth. I just figured it might be useful to someone out there.

Advertisements

This entry was posted on Monday, March 26th, 2007 at 2:27 pm and is filed under apple, firewalls, hints, OS X, Tech. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to Automatically Load OS X Firewall Settings When Your Location Changes

  1. Stateful OS X firewall « The Scrutinizer says:
    Monday, March 26, 2007 at 2:48 pm

    […] go with the fancy new trick mentioned in the previous post, I thought you might like to have a basic IPFW firewall to get yourself going. As always I […]

    Reply
  2. Tweak Your Launchd With Lingon « The Scrutinizer says:
    Thursday, July 31, 2008 at 10:11 am

    […] With Lingon In a previous post I showed how to write some custom firewall rules, and use a hack to get it to load automatically. With Leopard the hack to load it […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: