Recently I changed my custom IPFW firewall settings on my laptop, making them specific for home and work networks, switching between wireless and ethernet. The problem was I needed to figure out how to reload the firewall script whenever the state of the network changed.
It turns out that Darwin has a special way to handle this. It uses a daemon called configd to monitor the state of the various services running. configd uses XML files located in /System/Library/SystemConfiguration/ to manage its configuration.
The file that we are looking for is Kicker.xml located in the /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/ directory. This file has several dictionary entries that control what happens when configd encounters various state changes.
The entry seems to consist of a command key, a privilege key, a state key and a name key:
<dict>
<key>execCommand</key>
<string>/etc/rc.firewall</string>
<key>execUID</key>
<integer>0</integer>
<key>keys</key>
<array>
<string>State:/Network/Global/IPv4</string>
</array>
<key>name</key>
<string>restart-firewall</string>
</dict>
So basically execCommand tells it to execute /etc/rc.firewall (the firewall script) with an execUID of 0 (root) whenever the state of IPv4 networking changes. So now whenever I change my Location under System Preferences it will automatically load the appropriate firewall setting for the active interface.
HUPing configd didn’t reload the configuration, I had to restart the box to get the changes to take effect. If you are going to mess with these files always make a backup, and there is no guarantee the a system update won’t overwrite these files. I wasn’t able to find documentation on this other than man configd. It was mostly poking around and some googling, so take it for what it is worth. I just figured it might be useful to someone out there.
[…] go with the fancy new trick mentioned in the previous post, I thought you might like to have a basic IPFW firewall to get yourself going. As always I […]
[…] With Lingon In a previous post I showed how to write some custom firewall rules, and use a hack to get it to load automatically. With Leopard the hack to load it […]