Problems with Murus install/config -- status never green

Murus
Post Reply
keng
Posts: 2
Joined: Mon Oct 30, 2017 8:51 pm

Problems with Murus install/config -- status never green

Post by keng » Tue Oct 31, 2017 10:39 pm

Greetings!

Yesterday I installed Murus lite on my Sierra 10.12.6 system. There were no error messages during install or even when I configured things, but I couldn't get the status light to turn green (PF is running a Murus configuration), it always stays yellow. Even the Murus Menulet showed the configuration wasn't being loaded (it just had the "?).

Here's what I did:

Installed Murus and ran it.

Chose Start Murus Lite and Agreed to license, then Start Here

Chose Novice for simplicity, and used Predefined Firewall Configuration Presets

Set the slider to level 5, All Services Blocked -- Activated selected Murus preset and start PF

Clicked "Activate Firewall" when asked "Activate PF firewall using selected preset?"

Two windows pop up, once says Murus preset activated, the other asks about Installing Murus Boot Scripts. I clicked OK on the first and also Installed urus Boot Scripts.

No other popups happen, I can see the Managed Inbound Services, FTP, SSH, Telnet, Web, Basic Services, SMB, AFP, Port_21169 -- all have Everyone in Blocked Groups. The Configuration screen is populated with good looking PF lines.

BUT

The PF status light is yellow, "PF network firewall is enabled using OS X default configuration...

I can then SSH into the system from outside our network.

When I test current Murus configuration, it tests VALID.

I hit the play button to enable PF firewall or reload the rules, no change, still have the yellow status light, I even get notification that PF is running.

I tried rebooting and 5 reinstalls with different and more complex configurations, nothing worked. Always getting the yellow status.

At the console, this is what I get for a pfctl command and ifconfig (some sanitation was done to addresses):

$ sudo pfctl -sa
Password:
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat-anchor "com.apple/*" all
rdr-anchor "com.apple/*" all

FILTER RULES:
scrub-anchor "com.apple/*" all fragment reassemble
anchor "com.apple/*" all

DUMMYNET RULES:
dummynet-anchor "com.apple/*" all

INFO:
Status: Enabled for 0 days 00:06:35 Debug: Urgent

State Table Total Rate
current entries 0
searches 203673 515.6/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 117909 298.5/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 42 0.1/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
dummynet 0 0.0/s

TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
grev1.first 120s
grev1.initiating 30s
grev1.estblished 1800s
esp.first 120s
esp.estblished 900s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s

LIMITS:
states hard limit 10000
app-states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000

TABLES:
_threats

OS FINGERPRINTS:
696 fingerprints loaded

more possible clues:

$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 xxxx::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
ether xx:60:t6:16:6c:z3
inet6 fe80::xxb:ac34:9798:92f6%en0 prefixlen 64 secured scopeid 0x4
inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast xxx.xxx.xxx.xxx
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (1000baseT <full-duplex,flow-control,energy-efficient-ethernet>)
status: active
en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
ether 2t:ft:70:c4:1d:c4
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (<unknown type>)
status: inactive
en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 1a:x11:z2:a7:7g:f0
media: autoselect <full-duplex>
status: inactive
en3: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 1c:xx:02:a7:8g:11
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 1c:00:12:a3:7t:fx
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 6 priority 0 path cost 0
member: en3 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 7 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
ether 0x:f1:x8:t9:6c:c4
media: autoselect
status: inactive
awdl0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether 2d:ft:e4:cc:11:v0
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 xxx.xxx.xxx.xxx%utun0 prefixlen 64 scopeid 0xb
nd6 options=201<PERFORMNUD,DAD>
pflog0: flags=41<UP,RUNNING> mtu 33080
gpd0: flags=8862<BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1400
ether c2:5c:t3:0x:c1:t1

Other stuff that might help:

$ ls -l murus*
-rwxr-xr-x@ 1 root wheel 1785 Jun 22 13:36 murus.sh
-rwxr-xr--@ 1 root wheel 1345 Oct 30 14:52 murus.updatethreats.sh

murus:
total 56
-rw-r--r--@ 1 root wheel 31 Oct 31 15:21 murus.blacklist
-rw-r--r--@ 1 root wheel 27 Oct 31 15:21 murus.bw
-rw-r--r--@ 1 root wheel 2122 Oct 31 15:21 murus.conf
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.custom
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.dummynet
-rw-r--r--@ 1 root wheel 531 Oct 31 15:21 murus.inbound
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.inspector
-rw-r--r--@ 1 root wheel 2824 Oct 31 15:21 murus.knocking
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.nat
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.natclients
-rw-r--r--@ 1 root wheel 268 Oct 31 15:21 murus.outbound
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.rdr
-rw-r--r--@ 1 root wheel 254 Oct 31 15:21 murus.tables

Please help me Hany, you are my only hope to get out of the Wastlands!

Happy Halloween!

-Ken
Image

hany
Posts: 485
Joined: Wed Dec 10, 2014 5:20 pm

Re: Problems with Murus install/config -- status never green

Post by hany » Thu Nov 02, 2017 9:58 pm

Sorry I have never seen such issue. Are you authenticating using a valid administrator account?
Please try activating Murus ruleset from the shell terminal:

sudo pfctl -f /etc/murus/murus.conf

then check both Murus.app and Menulet to see if the status is changing

peskeguy
Posts: 1
Joined: Wed Jan 23, 2019 2:23 am

Re: Problems with Murus install/config -- status never green

Post by peskeguy » Wed Jan 23, 2019 2:34 am

I Don't know if OP is still having this problem and I think the cause of mine may have been different than his but I figured I'd post what resolved a similar situation for me in case others had my issue.

I had the issue as OP describes. Murus status light always yellow.
Manually trying to activate pfctl from the terminal gave me some kind of error about the anchor file not existing. I noticed that the path of the file it was trying to load was from /Library/Server

I had previously had OS X Server installed, but subsequently removed it. I guess the Server application modifies the pf anchor, but when I removed Server it didn't get reverted back, so pf was trying to load an anchor file that didn't exist

So I needed to change two files back to their pre-OS X Server defaults to enable pf/Murus to properly load.

The two files were:
1) /private/etc/pf.conf
#Contents of filed should read (can use nano or other terminal text editor):

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

2) /private/etc/pf.anchors/com.apple
#Contents of filed should read (can use nano or other terminal text editor):

#
# AirDrop anchor point.
#
anchor "200.AirDrop/*"

#
# Application Firewall anchor point.
#
anchor "250.ApplicationFirewall/*"



Once I restored these files to their proper state, pf/Murus worked properly.

Post Reply