Firewall OS 10.14. script to switch on off the firewall and adjust settings

[UweTheSailor]

Today I realised that my firewall wasn't running and that was quite a shock to me, I knew I turned it on at some point but didn't think of it any more.

Check the System Preferences.app and make sure yours is on:



Additionally I switched it on the "Block all incoming connections" in the FW-options (when unlocking the padlock the options settings come available).

I was so shocked that I wrote a script to run it at login to make sure the settings are always the way I want it, even an update will change settings without my consent.

#!/bin/bash

# ++++++++++++++++++++++++++++++++++++++
# + Firewall Einschalten bei Sys Start +
# ++++++++++++++++++++++++++++++++++++++


# Stop Firewall First
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

# Switch on Deny Incoming Traffic
/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on

# read -p "Press enter to continue"

# Switch on StealthMode
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

# Start Firewall again
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

# read -p "Press enter to continue"

# killall Terminal

# ++++++++ ALTERNATIVE ZU KILLALL TERMINAL W.O. ++++++++++
# +++++ closing the terminal window within the script ++++
# ++ the following is to close the script:
# ++ for more information see this site: 
# ++ https://stackoverflow.com/questions/8798641/close-terminal-window-from-within-shell-script-unix
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++

osascript -e 'tell application "Terminal" to close (every window whose name contains ".command")' &
exit

It is not the nicest script but it should work. If you remove the (hash) before the

read -p...

the script stops and you can see what happens or wether errors occur.

And that is exactly the problem I have. If I run the script, everything works fine (at least according to the terminal). BUT when I check the settings in the System Preferences.app (as above) I don't see changes there. Even if I reboot the system it seems the settings from Blocking all content does not work via script.

Do you have any suggestions or fixes?
Is your firewall switched off or on and did you know it?
Please comment below I am really curious what you think about a default setting which seems to switch off the Firewall!

WARNING When you switch all the options to "Block all..." your IPhone might not be able to share and send info to your Laptop (e.g. Airdrop).

Thanks much,
Uwe

PS: I am using a Macbook Pro with MaxOs 10.14...

 

[Raz0rEdge]

You don't need to turn the firewall on your MBP on. Your router already has a hardware firewall that is protecting you. So this extra layer "protection" doesn't really serve any purpose.

 

[harryb2448]

And Apple's default is 'off'.

 

[UweTheSailor]

Thanks the two of you for your reply!!! That starts a great conversation!
In regards to

And Apple's default is 'off'.

- I noticed that the default is off -- That is my major concern!! That is why I need to find a solution to make sure it will be on always!

Especially because of the reply from Mr. Raz0rEdge:

You don't need to turn the firewall on your MBP on.

- how can you assume I dont need, and how can you assume I have a router with HW firewall? I am one of those people who travel about 8 month of the year and I connect to several different WiFi router in cafes, coworking places, hotels and what not. I not only need a state of the art firewall but additionally work with VPN to protect me even more! That is why I am concerned about it a lot! And if in your case you use it in the same places, it might not make a huge difference but assuming that everyone uses it the same way might not be of much help, i am afraid to say so.

Anyhow, I am curious what other people think and hopefully protect yourself from connecting to the internet without firewall.
Best regards,
Uwe

 

[IWT]

@Uwe

If you are looking for what you might consider the most comprehensive Firewall protection, you may wish to go into System Preferences > Privacy > Firewall > Firewall Options and Enable "Stealth Mode". What that does is explained underneath that option.

To be clear, I am not for or against Firewall per se, nor advising you what to do; but merely drawing your attention to an additional facility that is often overlooked.

Ian

 

[Raz0rEdge]

Every router has a firewall, whether it's yours or a shared one. So again, the firewall on your machine is largely useless. If you are connecting to other people's WiFi (something you failed to mention in your first post and alas my crystal ball is out of commission right now), then we would have suggested going down the VPN route to secure your transactions which provide more value than the firewall.

 

[UweTheSailor]

Thanks again for your input!
In regards to

... Enable "Stealth Mode" ...

- yes I know, that is great you mention that and the script above does include switching this option "on".

and in regards to

Every router has a firewall...

- well, they might have or have not, however, if I use a WiFi in a cafe I might have no influence whether the firewall in the rooter is switched on or not... that means I have no control over that. Though what I have e control over is my internal SW firewall on my machine, at least that was what I was thinking...

Never the less, we are missing the point here. MY QUESTION was, and still is: HOW CAN I MAKE SURE my firewall is switched on and not suddenly off after I update my machine (or whatever caused my laptop to switch off the FW without my consent in the first place)?

I want to learn about solutions that switch the FW in my machine on and make sure that it is always on - the script is a solution I came up with but there are much better solutions which I don't know of. Can YOU advise me what to do in order to assure my FW is running and how to do so?

Thanks,
Uwe

 

[MacInWin]

Can YOU advise me what to do in order to assure my FW is running and how to do so?

Check it manually? Given how vital you think it may be, that would seem to be a minor task. You could put something in the boot up to remind you to check the firewall. However, most boots don't touch the firewall, so that would pester you to do something you shouldn't have to do. But, again, if it's that important to you, it's a minimal task.

 

[pm-r]

A quick Google search provided this old goody that should still work:
View firewall status via the Scripts menu
View firewall status via the Scripts menu - Mac OS X Hints

Maybe even this:
macos - How can I enable the firewall via command line on Mac OS X? - Super User


- Patrick
======

 

[UweTheSailor]

Thanks for all your replies!!! @Jake, doing things manually is the opposite of what I want to do... but thanks...

in regards to

View firewall status via the Scripts menu View firewall status via the Scripts menu - Mac OS X Hints

The script shows up but shows that my FW is not working... well that seems not to work for me - but great idea!

and in respect to:

macos - How can I enable the firewall via command line on Mac OS X? - Super User

That is a great resource!!! I love it! But I get following reply when trying to run ./socketfilterfw -l | grep TRUSTEDAPPS

-bash: ./socketfilterfw: No such file or directory

See the screenshot:


That was a great help Patrick - if you are not tired of this topic, I'd like to get your opinion why this command does not work for me:

./socketfilterfw -l | grep TRUSTEDAPPS

Thanks,
Uwe

 

[pm-r]

@Uwe

That was a great help Patrick - if you are not tired of this topic, I'd like to get your opinion why this command does not work for me:

Sorry Uwe, but scripting and especially troubleshooting, it is well beyond my Mac capabilities.


- Patrick
======

 

[honestone33]

Every router has a firewall, whether it's yours or a shared one. So again, the firewall on your machine is largely useless. If you are connecting to other people's WiFi (something you failed to mention in your first post and alas my crystal ball is out of commission right now), then we would have suggested going down the VPN route to secure your transactions which provide more value than the firewall.

What a narrow minded reply! The gentleman is asking for advice, not criticism.

 

[honestone33]

@Uwe



Sorry Uwe, but scripting and especially troubleshooting, it is well beyond my Mac capabilities.


- Patrick
======

Glad I am nowhere as clueless as you, Patrick. While I know little about scripting, I can do a good amount of trouble shooting for some other issues.

 

[UweTheSailor]

No worries, thanks for your reply!