Recently I changed my custom IPFW firewall settings on my laptop, making them specific for home and work networks, switching between wireless and ethernet. The problem was I needed to figure out how to reload the firewall script whenever the state of the network changed.
It turns out that Darwin has a special way to handle this. It uses a daemon called configd to monitor the state of the various services running. configd uses XML files located in /System/Library/SystemConfiguration/ to manage its configuration.
The file that we are looking for is Kicker.xml located in the /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/ directory. This file has several dictionary entries that control what happens when configd encounters various state changes.
The entry seems to consist of a command key, a privilege key, a state key and a name key:
<dict> <key>execCommand</key> <string>/etc/rc.firewall</string> <key>execUID</key> <integer>0</integer> <key>keys</key> <array> <string>State:/Network/Global/IPv4</string> </array> <key>name</key> <string>restart-firewall</string> </dict>
So basically execCommand tells it to execute /etc/rc.firewall (the firewall script) with an execUID of 0 (root) whenever the state of IPv4 networking changes. So now whenever I change my Location under System Preferences it will automatically load the appropriate firewall setting for the active interface.
HUPing configd didn’t reload the configuration, I had to restart the box to get the changes to take effect. If you are going to mess with these files always make a backup, and there is no guarantee the a system update won’t overwrite these files. I wasn’t able to find documentation on this other than man configd. It was mostly poking around and some googling, so take it for what it is worth. I just figured it might be useful to someone out there.
[…] go with the fancy new trick mentioned in the previous post, I thought you might like to have a basic IPFW firewall to get yourself going. As always I […]
[…] With Lingon In a previous post I showed how to write some custom firewall rules, and use a hack to get it to load automatically. With Leopard the hack to load it […]