[launchd] Creating a basic firewall

Hi,

I'm trying to use launchd to detect whether certain ports are opened
and if they are then to take some appropriate action, e.g. close the
port or, worst case scenario, down the whole net connection. Apparently,
force closing a port is not possible without killing the offending binary so
the next best option was to down the network connection.

In this particular example, the LaunchDaemon is supposed to monitor
whether a list of ports are activated, whilst the network state is true, and
if so then close the network connection.

Unfortunately, the 'Sockets -> Listeners' properties create ports that
meets the condition to down the network connection and not 'if' they are
created. Therefore, as soon as it is deployed, the network connection is
taken offline.

Due to the lack of documentation regarding launchd, I've not been able
to even determine if this approach is even possible.

Can anyone help?

A.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Disable</key>
	<false/>
	<key>Label</key>
	<string>net.localhost.ports</string>
	<key>Program</key>
	<string>/sbin/ifconfig</string>
	<key>ProgramArguments</key>
	<array>
		<string>ifconfig</string>
		<string>en0</string>
		<string>down</string>
	</array>
	<key>KeepAlive</key>
	<dict>
		<key>NetworkState</key>
		<true/>
	</dict>
	<key>Sockets</key>
	<dict>
		<key>Listeners</key>
		<array>
			<dict>
				<key>SockServiceName</key>
				<string>8787</string>
				<key>SockType</key>
				<string>stream</string>
			</dict>
			<dict>
				<key>SockServiceName</key>
				<string>31337</string>
				<key>SockType</key>
				<string>stream</string>
			</dict>
			<dict>
				<key>SockServiceName</key>
				<string>31337</string>
				<key>SockType</key>
				<string>dgram</string>
			</dict>
			<dict>
				<key>SockServiceName</key>
				<string>31338</string>
				<key>SockType</key>
				<string>stream</string>
			</dict>
			<dict>
				<key>SockServiceName</key>
				<string>31338</string>
				<key>SockType</key>
				<string>dgram</string>
			</dict>
			<dict>
				<key>SockServiceName</key>
				<string>54320</string>
				<key>SockType</key>
				<string>stream</string>
			</dict>
			<dict>
				<key>SockServiceName</key>
				<string>54321</string>
				<key>SockType</key>
				<string>stream</string>
			</dict>
			<dict>
				<key>SockServiceName</key>
				<string>54321</string>
				<key>SockType</key>
				<string>dgram</string>
			</dict>
		</array>
	</dict>
</dict>
</plist>

---------- Post updated at 07:33 PM ---------- Previous update was at 03:15 PM ----------

Additional...

Just got off the forum at macosxhints.com and apparently
launchd can't detect whether a connection to a socket/port
has been made making my quick-fix approach futile.

Unless someone knows any hacks.

A.

Have you thought about having launchd run a script for you to detect this? You could have launchd run a shell, perl, python, apple, or whatever script for you.

Thanks.

That was going to be an alternative solution to the preferable
of letting launchd handle the whole process but I couldn't find a
way for launchd to detect when a socket was 'created' for it to
down the connection or execute a script.

I would have to shift the whole process to bash and run the script
in daemon mode using, as someone suggested, lsof or dtrace. I did
look into both those binaries but the output from them would have
been too much to parse.

I was thinking of using the 'WatchPath' or 'QueueDirectories' to
monitor the /tmp directory, but I don't know if the socket name
file would be consistent.

Also, I 'll email the dev team to see if I'm missing something
or if they will consider it for a future release. In the mean time,
I'll have to consider a purpose built binary like snort.

A.

Yeah looking into it further it seems a lot trickier than just a straight forward script....