Applied inbound web ports to services but still is blocked

Murus
Post Reply
raulgd
Posts: 4
Joined: Sat May 16, 2015 3:21 am

Applied inbound web ports to services but still is blocked

Post by raulgd » Sat May 16, 2015 3:26 am

Hi,

I just purchased Murus Pro because, being a java web developer, I need to have the usual web ports open on my mac, but are blocked by default and I know no other way to open them.

I added the Web services from the services library and restarted PF, now PF is enabled, but when running my java application still shows the access denied error for my sockets in port 80.

What do I need to do to be able to access my web ports?

Thanks

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: Applied inbound web ports to services but still is blocked

Post by hany » Sat May 16, 2015 12:18 pm

With Murus you are just setting up the PF firewall. If you put WEB service in inbound and leave default configuration (green triangle facing down) you are telling PF to accept all inbound connections to port defined into Murus WEB servicee (that is 80 and 443 for http and https).
You have also to verify if a web server is currently running or not. If you want to use the OS X built-in web server you must start it manually from command line, because Apple removed the checkbox for Web Sharing in System Preferences -> Sharing prefpane.
So, issue this shell command in Terminal:

Code: Select all

sudo apachectl start
you must be admin in order to issue this command. You will be prompted for your password. Password will not echo.
This command should be enough to start the web server. It will also automatically start at boot.

EDIT:
btw, afaik web ports are not blocked by default on OS X. unless you turn on the System Preferences firewall.

raulgd
Posts: 4
Joined: Sat May 16, 2015 3:21 am

Re: Applied inbound web ports to services but still is blocked

Post by raulgd » Sat May 16, 2015 7:30 pm

Thanks for the quick reply.

I checked the PF configuration window and the inbound for ports 80 and 443 are with the green down triangle, so the policy is correct.
inbound_configured.png
The mac firewall is off.
mac_firewall_off.png
Checked in the activity monitor on the network tab, and the port 80 is not occupied. (Not allowed to upload more than 3 files to the forum, so no screenshot, but trust me, it's not occupied)

When I run my java web server I get an access denied error when trying to setup port 80 for listening.
access_denied_error_80.png
What else can I do to check? Some time ago I read that Mac OS X by default for "security" the ports from 1 to 1024 are closed to be accessed only by apple services or applications running as root, but I can't run my java applications as root because I'm using them for development purposes, I thought with Murus I'd be able to avoid this problem and have port 80 forcefully accessible by any user.
You do not have the required permissions to view the files attached to this post.

raulgd
Posts: 4
Joined: Sat May 16, 2015 3:21 am

Re: Applied inbound web ports to services but still is blocked

Post by raulgd » Sat May 16, 2015 11:04 pm

OK even worst... I'm starting to think that it's not even that. I wanted to check out the PF process to monitor it at an even lower level to validate how it works.

Researching, on Mac OS X according to this, the process should be afctl and the plists should be com.apple.pfctl.plist, but there is no process whatsoever under afctl or any pfctl plist, so even though Murus states that PF is running, I don't see any process related to it running on the system, even though I was checking in the terminal as root using ps -A

I also tested by setting up an rdr pass rule to redirect from one port to another, and also blocked absolutely all ports, and still I can connect as if there is no firewall running.

So, for starters, how can I figure out if the firewall is really running or not?

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: Applied inbound web ports to services but still is blocked

Post by hany » Sun May 17, 2015 3:51 pm

Ok I think I need to clarify how Murus and PF work :)
First of all afctl has nothing to do with PF. It is the shell frontend for ALF, the application layer firewall, the one you configure within OS X System Preferences.
PF is another firewall, it's a network firewall. It runs in the kernel, there are no process to look for. You can query the kernel using the shell frontend "pfctl". To see if PF is working you have to issue the

Code: Select all

sudo pfctl -si
command and look for the output. There is no other way.
I don't know what you mean by :

Code: Select all

Checked in the activity monitor on the network tab, and the port 80 is not occupied.
I would use a port scanner like OS X Network Utility.app (Ports tab) to check if a port is open.

However your problem has nothing to do with the ALF or PF or Murus. Both are disabled by default on OS X. For sure, according to your screenshot, ALF is closed. To be sure that PF is also stopped just run Murus and, if PF is running, click the Stop button. If you don't trust Murus then use the Terminal like I explained above.
When ALF and PF are not running, all your network services are available. There is no need to "open" a port. Firewall are used to filter ports, not to open them. A port is open if a service is listening to it, and is closed if no service is listening to it.
According to your screenshot you are trying to run your java web server from an unprivileged user. Please remember that services that use ports below 1025 are privileged and must be run as root, this is normal for all UNIX-like operating systems like OS X.

raulgd
Posts: 4
Joined: Sat May 16, 2015 3:21 am

Re: Applied inbound web ports to services but still is blocked

Post by raulgd » Sun May 17, 2015 5:18 pm

Thanks for clarifying how PF works.

Now, then I must be doing something wrong because, due to the permissions thing, I configured Murus using a custom rule to redirect all traffic from port 80 to 8080 which is the port I switched my Java application to.

I added the Web service group from the library so the ports 80 and 443 are open, then I did the port redirect. Also, I setted the strategy so all inbound connections are blocked except the ones I specify otherwise.

Here's how I setted the rule, but still doesn't work, I can have connections on local 8080 which shouldn't be accessible, and have port 80 and 443 not accessible, perhaps I'm doing something wrong, what can I do to have it working? For testing this I used the Network Utility app and did a port scan.

And I ran the command you mentioned as root: pfctl -si and it prints out this message, I don't know if that's right or not:
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:07:13 Debug: Urgent

Does that ALTQ means that there is something wrong with pf? or is this expected?

Also by the way, it would be nice if the custom rule could be a window, because trying to take a screenshot or copy/pasting something is a pain in the neck because the windows keeps disappearing when you click somewhere else outside the window.


EDIT:
I tried it connecting from another computer using the IP address and it worked, but if I try to connect from my local computer either using localhost, 127.0.0.1 or the IP address and it doesn't work! the only way it works is if I connect from another device. What do I need to do to make it work locally as well?

rule.png
rule_window.png
You do not have the required permissions to view the files attached to this post.

Post Reply