6 Replies Latest reply on Jun 14, 2016 9:53 AM by patgmac1

    Mac local firewall and LANrev

    sgillaspy Apprentice

      LANrev uses a high-dynamic porting that has been difficult for us to create accurate local firewall exceptions for OS X (soon to be MacOS!) in the past.  Any of us had luck using LANrev with Macs with the local OS X app-based firewall active?

       

      If so, what kind of fw exception did you build?

        • 1. Re: Mac local firewall and LANrev
          patgmac1 Expert

          Ahem, it's macOS. ;-)

           

          Works fine, no need to build exceptions. The high dynamic ports are not a problem since by default, firewalls will allow client initiated traffic to come back. Traffic that originates from the server/admin are not on a high port. The LANrev installers automatically open what it needs on the firewall, and since it's a signed app, it's also allowed because it's signed.

          • 2. Re: Mac local firewall and LANrev
            sgillaspy Apprentice

            Oh sorry....yea small m!

            • 3. Re: Mac local firewall and LANrev
              sgillaspy Apprentice

              Well with agents that are already installed (running any client version) when I go to activate the fw via:

               

              sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1

               

              the LANrev agent stops checking in (heartbeating).  Is there a command-line exception that I can add to the mac client that opens it up post-install?

              • 4. Re: Mac local firewall and LANrev
                patgmac1 Expert

                The firewall is only inbound, so it shouldn't prevent an outbound connection such as a heartbeat anyway.

                 

                One thing you can do is very the agent is properly signed:

                codesign -vv /Library/Application\ Support/LANrev\ Agent/LANrev\ Agent.app/Contents/MacOS/LANrev\ Agent
                
                

                 

                It should come back saying it's "valid on disk". If it doesn't, there have been occasions when the agent broke its' own codesigning because of files being added, so I have this script for that:

                 

                #!/bin/sh
                
                
                filesToDelete=(
                  "/Library/Application Support/LANrev Agent/LANrev Agent.app/Contents/DefaultDefaults_backup.plist"
                  "/Library/Application Support/LANrev Agent/LANrev Agent.app/Contents/SpecialSSLUpdater.plist"
                  "/Library/Application Support/LANrev Agent/LANrev Agent.app/Contents/CodesigningRules.plist"
                  "/Library/Application Support/LANrev Agent/LANrev Agent.app/Contents/Resources/AbsoluteManage Agent pre-10.8.prefPane/Contents/CodesigningRules.plist"
                  "/Library/Application Support/LANrev Agent/LANrev Agent.app/Contents/Resources/AbsoluteManage Agent pre-10.8.prefPane/Contents/DefaultDefaults.plist"
                  "/Library/Application Support/LANrev Agent/LANrev Agent.app/Contents/Resources/LANrev Agent.prefPane/Contents/CodesigningRules.plist"
                  "/Library/Application Support/LANrev Agent/LANrev Agent.app/Contents/Resources/LANrev Agent.prefPane/Contents/DefaultDefaults.plist"
                )
                
                
                function deleteItems()
                {
                  declare -a toDelete=("${!1}")
                
                
                  for item in "${toDelete[@]}"
                  do
                  if [[ ! -z "${2}" ]]
                  then
                  item=("${2}""${item}")
                  fi
                  if [ -e "${item}" ]
                  then
                  echo "Removing $item"
                  rm -rf "${item}"
                  fi
                  done
                }
                
                
                deleteItems filesToDelete[@]
                
                
                exit 0
                
                

                 

                I also have a custom info item that opens the firewall if it is blocked:

                #!/bin/bash
                
                
                osSubVer=$(sw_vers -productVersion | cut -d '.' -f 2)
                lanrevBlocked=$(/usr/libexec/ApplicationFirewall/socketfilterfw --listapps | grep -A 1 "LANrev Agent.app"| grep -i incoming | awk ' { print $2 } ' )
                
                
                if [[ $osSubVer -gt "6" ]]; then
                    if [[ $lanrevBlocked == Block* ]]; then
                        /usr/libexec/ApplicationFirewall/socketfilterfw --unblock "/Library/Application Support/LANrev Agent/LANrev Agent.app" 1>/dev/null
                        echo "Lanrev Unblocked"
                    else
                        echo "No ALF Changes Made"
                    fi
                
                
                
                
                
                
                
                
                
                
                
                fi
                
                
                • 5. Re: Mac local firewall and LANrev
                  sgillaspy Apprentice

                  Thanks Patrick...those older Agent items detailed in your script were indeed corrupting my code signing to the point where the Agent was being blocked.

                   

                  My test units were also showing a failure of one additional item that I added to another updated version of your script:

                   

                  "/Library/Application Support/LANrev Agent/LANrev Agent.app/Contents/Resources/LANrev Agent.prefPane/Contents/CodeResources"

                   

                  Once I added that item to all the other deletions your script detailed, the signing was successful with "Valid On Disk".

                   

                   

                  I take it the latest agent (I'm running 7.2) no longer needs these support files?  DefaultDefaults used to be an important one but that's been a long while ago.

                   

                   

                  Thanks again!

                  • 6. Re: Mac local firewall and LANrev
                    patgmac1 Expert

                    Sean Gillaspy wrote:

                     

                     

                    I take it the latest agent (I'm running 7.2) no longer needs these support files? DefaultDefaults used to be an important one but that's been a long while ago.

                    It does need them, but not in those locations. Needs to be outside of the app bundles. I'm not sure how/why those items get in those locations but I have worked with support on this so they know it's a problem. It just hasn't been fixed. After all, it doesn't affect MDM.