Greetings, Mauricio Tavares mailed off-list to suggest looking at:
> http://www.ibiblio.org/macsupport/ipfw/ > http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/ipfw.8.html I'm indebted to Mauricio, but the first (which as it happens I'd come across earlier) is primarily concerned with using the ipfw firewll to further restrict the ports which can access the machine, presuming that Web Sharing is enabled in the relevant System Preference. It doesn't, however, describe the relationship between the (kernel level?) ipfw firewall and the (userland?) application firewall. It appears that the application firewall is doing filtering beyond what the ipfw firewall is doing (hence the by-default open ipfw default rule). That's what I'd like to understand, and configure. ---- Hmm: I looked further afield, and found a useful resource in <http://www.powerofmac.com/IT825-firewall.pdf>. Towards the end of that there's a brief discussion of the role of the application firewall (AF), and indicates that this firewall works per application, paying no attention to ports (which is sort of what I'd picked up). It also points to <http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/af.plist.5.html>, which indicates that command-line access to this is available only on OS X Server. So it seems that in order for any web server to be permitted by the AF to accept connections, it has to be signed. The page <http://support.apple.com/kb/ht1810> says: > If you run an unsigned application not in the Application Firewall list, you > will be presented with a dialog with options to Allow or Deny connections for > the application. If you choose Allow, Mac OS X v10.6 will sign the > application and automatically add it to the Application Firewall list. If you > choose Deny, Mac OS X v10.6 will sign the application, automatically add it > to the Application Firewall list and deny the connection. However this doesn't seem to be true. I don't get any such dialogue when I start up the web server in question (it's using the Racket/PLT-Scheme web framework). Am I missing something? This does seem to be frustratingly under-documented. It's very often the case that pages like <http://support.apple.com/kb/ht1810> give some overview account of a technology, and then give _no_ pointers to further information. This is infuriating and timewasting. Best wishes, Norman -- Norman Gray : http://nxg.me.uk _______________________________________________ MacOSX-admin mailing list [email protected] http://www.omnigroup.com/mailman/listinfo/macosx-admin
