[OpenAFS] Mac OS X 10.6.x: Appropriate Firewall Settings for OpenAFS Client

Sergio Gelato Sergio.Gelato@astro.su.se
Mon, 25 Jul 2011 11:13:08 +0200


* Derrick Brashear [2011-07-21 19:43:43 -0400]:
> On Thu, Jul 21, 2011 at 5:32 PM, Derrick Brashear <shadow@gmail.com> wrote:
> > On Thu, Jul 21, 2011 at 5:31 PM, Sergio Gelato
> > <Sergio.Gelato@astro.su.se> wrote:
> >> * Derrick Brashear [2011-07-21 09:55:51 -0400]:
> >>> On Thu, Jul 21, 2011 at 9:43 AM, Sergio Gelato
> >>> <Sergio.Gelato@astro.su.se> wrote:
> >>> > Has anyone succeeded in making OpenAFS work with the Application Firewall
> >>> > in Mac OS X? I've just tried with OpenAFS 1.6.0pre7 on a 10.6.8 system,
> >>> > adding /usr/sbin/afsd to the list of applications allowed to accept incoming
> >>> > connections, and I still can't connect to 7001/udp with rxdebug. The only way
> >>> > I was able to get a response on that port was by turning off the application
> >>> > firewall entirely.
> >>
> >>> after "automatically allow signed..." (in Advanced) was enabled, it
> >>> "just works" for me, and i have appfw on at all times.
> >>
> >> Thank you for your answer. It still doesn't work for me, even after
> >> enabling "automatically allow signed...". I must be missing something.
> >> What certificate authority are the OpenAFS builds signed with? Do I
> >> need to fiddle with certificate trust settings?
> >
> > ad-hoc, at install time.
> >
> > you can redo:
> > sudo codesign -s - /usr/sbin/afsd
> 
> actually, you also need -f
> e.g.
> sudo codesign -f -s - /usr/sbin/afsd
> 
> you might try this and see what happens.

I've tried this. Still no joy, i.e. no response to
	rxdebug -version <my-ip-address> 7001
while Application Firewall is running. (I've also seen direct evidence
that the firewall gets in the way of callbacks.)

I've even tried to sign afs.kext, just in case my hunch about port 7001
belonging to the kernel extension rather than to afsd is relevant. Didn't
help.

My reading of Apple's own documentation (cf.
http://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html#//apple_ref/doc/uid/TP40005929-CH3-SW5
) is that the Application Firewall will take the identity of the signer into
account and that self-signed certificates, at least, won't work unless they've
explicitly been configured as trusted for code signing. (Ad hoc signatures
aren't really mentioned in that document.)

There are a few more experiments I can think of, but I'm not sure they are
worth my time right now.

> >
> >> This is a fresh installation of Snow Leopard, by the way: zeroed out the
> >> hard disk, installed from DVD, added Rosetta and Xcode from said DVD,
> >> ran softwareupdate, installed OpenAFS 1.6.0pre7; nothing else.
> >
> >
> >
> >
> > --
> > Derrick
> >
> 
> 
> 
> -- 
> Derrick