Problems with Murus install/config -- status never green

Murus
Post Reply
keng
Posts: 2
Joined: Mon Oct 30, 2017 8:51 pm

Problems with Murus install/config -- status never green

Post by keng » Tue Oct 31, 2017 10:39 pm

Greetings!

Yesterday I installed Murus lite on my Sierra 10.12.6 system. There were no error messages during install or even when I configured things, but I couldn't get the status light to turn green (PF is running a Murus configuration), it always stays yellow. Even the Murus Menulet showed the configuration wasn't being loaded (it just had the "?).

Here's what I did:

Installed Murus and ran it.

Chose Start Murus Lite and Agreed to license, then Start Here

Chose Novice for simplicity, and used Predefined Firewall Configuration Presets

Set the slider to level 5, All Services Blocked -- Activated selected Murus preset and start PF

Clicked "Activate Firewall" when asked "Activate PF firewall using selected preset?"

Two windows pop up, once says Murus preset activated, the other asks about Installing Murus Boot Scripts. I clicked OK on the first and also Installed urus Boot Scripts.

No other popups happen, I can see the Managed Inbound Services, FTP, SSH, Telnet, Web, Basic Services, SMB, AFP, Port_21169 -- all have Everyone in Blocked Groups. The Configuration screen is populated with good looking PF lines.

BUT

The PF status light is yellow, "PF network firewall is enabled using OS X default configuration...

I can then SSH into the system from outside our network.

When I test current Murus configuration, it tests VALID.

I hit the play button to enable PF firewall or reload the rules, no change, still have the yellow status light, I even get notification that PF is running.

I tried rebooting and 5 reinstalls with different and more complex configurations, nothing worked. Always getting the yellow status.

At the console, this is what I get for a pfctl command and ifconfig (some sanitation was done to addresses):

$ sudo pfctl -sa
Password:
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat-anchor "com.apple/*" all
rdr-anchor "com.apple/*" all

FILTER RULES:
scrub-anchor "com.apple/*" all fragment reassemble
anchor "com.apple/*" all

DUMMYNET RULES:
dummynet-anchor "com.apple/*" all

INFO:
Status: Enabled for 0 days 00:06:35 Debug: Urgent

State Table Total Rate
current entries 0
searches 203673 515.6/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 117909 298.5/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 42 0.1/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
dummynet 0 0.0/s

TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
grev1.first 120s
grev1.initiating 30s
grev1.estblished 1800s
esp.first 120s
esp.estblished 900s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s

LIMITS:
states hard limit 10000
app-states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000

TABLES:
_threats

OS FINGERPRINTS:
696 fingerprints loaded

more possible clues:

$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 xxxx::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
ether xx:60:t6:16:6c:z3
inet6 fe80::xxb:ac34:9798:92f6%en0 prefixlen 64 secured scopeid 0x4
inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast xxx.xxx.xxx.xxx
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (1000baseT <full-duplex,flow-control,energy-efficient-ethernet>)
status: active
en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
ether 2t:ft:70:c4:1d:c4
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (<unknown type>)
status: inactive
en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 1a:x11:z2:a7:7g:f0
media: autoselect <full-duplex>
status: inactive
en3: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500
options=60<TSO4,TSO6>
ether 1c:xx:02:a7:8g:11
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 1c:00:12:a3:7t:fx
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 6 priority 0 path cost 0
member: en3 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 7 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
ether 0x:f1:x8:t9:6c:c4
media: autoselect
status: inactive
awdl0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether 2d:ft:e4:cc:11:v0
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 xxx.xxx.xxx.xxx%utun0 prefixlen 64 scopeid 0xb
nd6 options=201<PERFORMNUD,DAD>
pflog0: flags=41<UP,RUNNING> mtu 33080
gpd0: flags=8862<BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1400
ether c2:5c:t3:0x:c1:t1

Other stuff that might help:

$ ls -l murus*
-rwxr-xr-x@ 1 root wheel 1785 Jun 22 13:36 murus.sh
-rwxr-xr--@ 1 root wheel 1345 Oct 30 14:52 murus.updatethreats.sh

murus:
total 56
-rw-r--r--@ 1 root wheel 31 Oct 31 15:21 murus.blacklist
-rw-r--r--@ 1 root wheel 27 Oct 31 15:21 murus.bw
-rw-r--r--@ 1 root wheel 2122 Oct 31 15:21 murus.conf
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.custom
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.dummynet
-rw-r--r--@ 1 root wheel 531 Oct 31 15:21 murus.inbound
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.inspector
-rw-r--r--@ 1 root wheel 2824 Oct 31 15:21 murus.knocking
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.nat
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.natclients
-rw-r--r--@ 1 root wheel 268 Oct 31 15:21 murus.outbound
-rw-r--r--@ 1 root wheel 0 Oct 31 15:21 murus.rdr
-rw-r--r--@ 1 root wheel 254 Oct 31 15:21 murus.tables

Please help me Hany, you are my only hope to get out of the Wastlands!

Happy Halloween!

-Ken
Image

hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Re: Problems with Murus install/config -- status never green

Post by hany » Thu Nov 02, 2017 9:58 pm

Sorry I have never seen such issue. Are you authenticating using a valid administrator account?
Please try activating Murus ruleset from the shell terminal:

sudo pfctl -f /etc/murus/murus.conf

then check both Murus.app and Menulet to see if the status is changing

Post Reply