panther firewall

[fxt]

when i open the firewall tab in the sharing pane of system preferences, it informs me that i have "other firewall software running". i most certainly do not have any such software running. all the items in the firewall tab become greyed out, and i cannot add/delete/modify anything. the ports that i had explictly opened/closed under jaguar are still open/closed in panther.

if it matters, i did an upgrade install of panther instead of an archive or a clean install.

would other people, particularily those who did an upgrade install, check that they can modify their
apple supplied firewall and report back?

thanks.

fxt

[cminchom]

See my post of October 25th on the same subject.
It is likely there is an item apparently in conflict in Library/Startupitems.
In my case there was and it was easy to fix.

[hayne]

I believe that the message about having other firewall software running is a bit misleading.
This problem existed in Jaguar too. If you had configured the builtin ipfw firewall using some other interface than the Firewall Preference pane, that preference pane would give that message.

Had you configured a firewall using something (even the command-line ipfw) other than the Frewall preference pane?

[fxt]

thanks for the help.

i've never used anything but the firewall gui in jaguar to set the properties of the firewall, no norton nor any ipfw.

i'm considering using ipfw, though, if that would alleviate the problem. something like, itunes port off followed by itunes part on.

what do you think?

fxt

[fxt]

perhaps this is the problem. i see a checked
"Itunes Sharing (3689)" that is greyed out. i opened this port in jaguar. after the panther upgrade install i now see an unchecked "ITunes Music Sharing (3689). this must be something panther added. perhaps the problem is the duplicate port entries. how exactly would i use ipfw to remove one of them?

fxt

[yellow]

First off, see what rules ipfw is using.. ipfw is always running BTW. It's default ruleset is to allow any to any, the GUI that Apple threw in Jaguar was just a frontend for ipfw. So, to see what rules are currently in place, hit the command line, do:
sudo ipfw show

[fxt]

ok, i'm back from taking my daughter to the aquarium, and i'm reading the ipfw man page now.

although i'm completely comfortable controlling the firewall from the comand line, it would be nice to get the default apple gui functioning

% sudo ipfw show
Password:
02000 109085 9066147 allow ip from any to any via lo*
02010 0 0 deny ip from 127.0.0.0/8 to any in
02020 0 0 deny ip from any to 127.0.0.0/8 in
02030 0 0 deny ip from 224.0.0.0/3 to any in
02040 0 0 deny tcp from any to 224.0.0.0/3 in
02050 24145 2282497 allow tcp from any to any out
02060 28938 23436006 allow tcp from any to any established
02070 0 0 allow tcp from any to any 3689 in
02080 0 0 allow tcp from any to any 548 in
02090 0 0 allow tcp from any to any 427 in
02100 0 0 allow tcp from any to any 22 in
02110 394 20132 allow tcp from any to any 6346 in
02120 0 0 allow tcp from any to any 631 in
02130 0 0 allow tcp from any to any 515 in
12190 2854 139964 deny tcp from any to any
65535 10111 1065912 allow ip from any to any

[yellow]

That looks to me like the GUI config of old still running. So try this:

sudo ipfw flush

Then hit your GUI control and see if it'll start up.

Personally I prefer ipfw at the CLI because I can specify important things like log(!) and addresses(!).

[fxt]

perfect. thank you very much yellow.

% sudo ipfw flush
Password:
Are you sure? [yn] y

Flushed all rules.


the gui now works!


and now we have:

% sudo ipfw show
02000 8 992 allow ip from any to any via lo*
02010 0 0 deny ip from 127.0.0.0/8 to any in
02020 0 0 deny ip from any to 127.0.0.0/8 in
02030 0 0 deny ip from 224.0.0.0/3 to any in
02040 0 0 deny tcp from any to 224.0.0.0/3 in
02050 0 0 allow tcp from any to any out
02060 0 0 allow tcp from any to any established
02070 0 0 allow tcp from any to any 548 in
02080 0 0 allow tcp from any to any 427 in
02090 0 0 allow tcp from any to any 22 in
02100 0 0 allow tcp from any to any 6346 in
02110 0 0 allow tcp from any to any 631 in
02120 0 0 allow tcp from any to any 515 in
02130 0 0 allow tcp from any to any 3689 in
12190 0 0 deny tcp from any to any
65535 11195 1173138 allow ip from any to any

[yellow]

Make sure by rebooting and checking the GUI again. I seem to remember this happening to someone on here and it reverted back to what they had before.

[fxt]

the functionality of the gui survived a reboot.
excellent. thanks again yellow.

having digested some small fraction of the ipfw man page, i can see why controlling the firewall via the command line is preferable for some advanced/enhanced functionality. i may play ...

fxt

[yellow]

This is a pretty helpful link:
http://www3.sympatico.ca/dccote/firewall.html

[fxt]

i ran a small experiment on a few other machines. if i do an "upgrade install" and the firewall is on under jaguar, then under panther i generate the "other software" error message and the gui firewall is grayed out. yellow's solution then applies. if i turn the firewall off in jaguar before doing the upgrade install, then the firewall gui in panther works correctly.

fxt

[mclbruce]

Quote: Originally posted by fxt i ran a small experiment on a few other machines. if i do an "upgrade install" and the firewall is on under jaguar, then under panther i generate the "other software" error message and the gui firewall is grayed out. yellow's solution then applies. if i turn the firewall off in jaguar before doing the upgrade install, then the firewall gui in panther works correctly. fxt

Thank you fxt, that is really good to know. I appreciate you contributing it here.

[fxt]

your mileage might vary, but that's what i got on four 10.2.8 machines (dual g4, cube, powerbook, emac). two had the firewall left on, the other two had it turned off.

fxt