Re: Why is Leopard annoying my users?
Re: Why is Leopard annoying my users?
- Subject: Re: Why is Leopard annoying my users?
- From: Bill Cheeseman <email@hidden>
- Date: Tue, 20 Nov 2007 08:18:16 -0500
- Thread-topic: Why is Leopard annoying my users?
on 2007-11-19 7:34 PM, James Bucanek at email@hidden wrote:
> OK, I received an annoying report from an user this morning. If
> you turn the Leopard firewall on and run my application, Leopard
> presents the user the following dialog three (!) times:
>
>      Do you want the application "QRecall.app" to accept
> incoming network
>      connections?
>
>      Clicking Deny may limit the application's behavior. This
> setting can be
>      changed in the Firewall pane of the Security preferences.
>
> ....
>
> My application is not a network service and is not creating any
> incoming TCP sockets. I *am* creating some named BSD sockets for
> distributed object communications (something I had to do to get
> the app to run on Leopard -- yes, there's plenty of irony here).
>
> Does anyone know what's causing this and how do I get it to stop?
I've been researching this issue the last several days. I can't answer your
question about the roles played by TCP sockets and BSD sockets, but I can
give you some background based on what I've read. Basically, the latest
version of Apple's support article (updated yesterday or the day before)
about the new Leopard firewall says that this dialog is presented whenever a
non-code signed application requests incoming access. So you apparently are
requesting incoming access as far as Apple's new firewall system is
concerned, and you're apparently doing so three times.
The interesting question is, What happens when the user clicks Deny, or
Allow?
I'm not at all sure I've understood what I've turned up in my research -- so
far, there are only a couple of competent online articles explaining what
the new firewall is really doing. Apparently, according to my current
understanding, if the user clicks Deny, the specific TCP/UDP port over which
incoming access was requested is closed -- or remains closed -- in ipfw. If
the user clicks Allow, the application is automatically "signed" by Apple
and listed in the new Firewall exceptions list as an application that can
either always allow or always deny incoming access. I don't believe clicking
Allow in the dialog opens the corresponding port in ipfw.
The ipfw service still exists in Leopard. In Tiger, it had a GUI for opening
and closing specific ports in the System Preferences/Accounts/Firewall pane.
That GUI is now gone in Leopard, and the new System
Preferences/Security/Firewall pane controls a new application-level firewall
service. The new Apple support article makes clear that ipfw rules trump
application firewall settings in Leopard, but Apple no longer provides a GUI
for controlling ipfw. You have to use Terminal or a third-party utility like
WaterProof.
I came upon this issue when I accidentally clicked Deny in one of these
dialogs while installing a new version of Retrospect Client. Thereafter,
Client wouldn't receive incoming connections from my Retrospect backup
server, even though I later added it to the Firewall exceptions list
manually and marked its internal backup service application 'pitond' to
allow incoming connections in the Leopard Firewall pane. It turns out that,
apparently, my clicking Deny had closed the TCP port (497) used by
Retrospect Client and, as noted above, this ipfw setting trumped the new
application Firewall setting that purportedly allowed access. I solved the
problem by reinstalling Client, and a Client dialog asked whether to open
the port, to which I replied affirmatively, and then the system asked
whether to allow incoming access, to which I replied Allow, and now it
works. Running Network Utility's Port Scan shows that port 497 is now open,
and Retrospect tech support has confirmed that the Retrospect Client
installer opens it (if you click the correct button). I presumably could
have solved the problem by using Terminal to turn on port 497 explicitly,
instead of running the installer again.
--
Bill Cheeseman - email@hidden
Quechee Software, Quechee, Vermont, USA
www.quecheesoftware.com
PreFab Software - www.prefabsoftware.com
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden