2

I am developing some software as part of a research project, and am running into an annoying issue with the Mac firewall. Our system architecture involves running multiple concurrent processes which open network ports, so when I start an execution, I get a ton of firewall notifications:

enter image description here

Whether I click Allow or Deny, the notification comes back every time. I've also tried adding the program to the firewall settings, but the notifications still appear. Enabling stealth mode, or even disabling the firewall, likewise does nothing.

enter image description here

This similar question asks about fixing this issue for a single program, and there's some discussion about code signing. But this won't work for me: I'm just compiling new versions of my code; I need to prevent these dialogs from appearing during testing, not production. So marking a single executable as "safe" (if even possible) would only work until the next compilation.

A few more data points:

  • This happens no matter where I run the program from — terminal or VS code terminal
  • This used to happen occasionally, but now happens nearly all the time, after I moved my project from my Documents folder (which I realized was being backed up to iCloud) to a separate local folder. Possibly something with file-provenance trust? This would be strange, however. My new directory is just ~/Local Documents
  • While some variants of our program do use incoming network access, I'm currently just testing on a single machine (with multiple processes acting as multiple hosts, using the mpi framework).

Ideally, I'd like to mark executables in a certain folder as being exempt from firewall rules, but at this point, I'm happy to even just turn off the warnings system-wide.

This answer seems to suggest I may be out of luck.

baum
  • 191
  • 1
    When the firewall is inactive in the Network settings, you still get the dialogs? – Linc D. Feb 09 '24 at 00:11
  • That's correct. Doesn't make any sense to me. Based on some other answers it sounds like this might be from a "different" firewall, the socketfilter firewall, not the "regular" network firewall. – baum Feb 09 '24 at 02:06
  • 1
    That's right. There is no built-in graphical interface to the packet filter.

    Please run this command:

    `/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate`

    If it shows that the firewall is enabled, then try this:

    `/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off`

    Then try the first command again. Any change?

     – Linc D. Feb 09 '24 at 05:26
  • Seems like that worked. Thanks!

    Oddly, even after clicking "Allow", the executables are also showing up in the socketfilterfw --listapps listing. But I guess this makes sense if their doing UUID-based, not path-based, permissions.

     – baum Feb 13 '24 at 04:54
  • Instead of globally disabling the warning, ad-hoc code sign the binary as part of the test building process`Do you want the application "main" to accept incoming network connections?` pop up while running Go applications – Graham Miln Feb 13 '24 at 07:50
  • @GrahamMiln: I tried this, and interestingly, it did appear to work — but after a slight time delay (or perhaps some number of executions?). So including it in the build process worked, eventually, but I still got a few dozen pop ups. – baum Feb 14 '24 at 19:30
  • I added an answer to better explain the behaviour and approaches. Hope this helps. – Graham Miln Feb 15 '24 at 08:36

2 Answers2

0

Per the comment from Linc D.,

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

appears to have fixed the problem.

nohillside
  • 100,768
baum
  • 191
0

This is normal behaviour. Each new test executable is treated as unique. So trusting one, will not affect the next. Unless…

Build and Sign

To avoid the warning, ad-hoc codesign the executable using:

codesign -i com.example.main.test -s - main

Repeat this command for any other executables that are being built.

This will cause macOS to trust this build of main on your Mac. The first time it is run, you will be asked for network access. Subsequent runs will not require network checks.

By assigning an identifier, -i com.example.main.test, the trust associated with an executable will be transferred to future executables. The future executables need to have the same identifier and signer for this to work.

Firewall

Within System Settings.app > Network > Firewall, select Options and scroll the base of the list. There you will find a few additional options.

Enable Automatically allow downloaded signed software to receive incoming connections. This may lessen some of the warnings.

Avoid the Warnings

To avoid this warnings entirely, have the software explicitly and only listen on localhost.

See also https://apple.stackexchange.com/a/393721/1860

Graham Miln
  • 43,776