30 June 2008

Automatically switching on the firewall by location on Mac OS X

There is something that Windows Vista actually does rather well. When you connect to a network to which you have not previously connected, Vista will prompt you to say whether it is Home, Work or Public. Naturally when you connect to some sort of unencrypted network at a Cafe, University or wherever you are going to want to select Public - basically this puts the firewall up to full strength to stop services like file and printer sharing from telling the world what it is you have on your laptop. (I'm simplifying things here - if you unblock services while Public for example you could still be opening yourself to a world of pain because it will be unblocked for all public places).

I assume people are mostly still using XP because it seems no matter where I go in public (well maybe not everywhere) there's someone who has neglected to lock down their system, even to the extent that they have write access open to their OS / data partition.

Mac OS X doesn't seem to have this feature at all. Yes, it has network locations but they don't cover the firewall, nor can they be set to automatically switch. But there is a way.

First, we need to do how to programmatically change the network settings. The answer comes from (the really rather useful) macosxhints.com.

sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1
The last value represents the state of the firewall, where:
  • 0 = off
  • 1 = on for specific services
  • 2 = on for essential services
Note that actually the 'sudo' isn't required for this if you have an administrator account. So I created two very simple shell scripts based on this command, one which turns on the firewall and one which turns it off.

The second part of this is the great MarcoPolo. In a nutshell, MarcoPolo can automatically do whatever you want whenever you want based on various physical attributes like the Wifi access points it can see, bluetooth devices and even ambient light (among other things). Unfortunately it hasn't been properly updated for Leopard, so it can't switch the firewall itself - but it can be set to run shell scripts.

So this is what I have going. When I'm at home, MarcoPolo automatically sees my home WiFi and switches the firewall into a low paranoia state (so I can access my files etc). When I leave home, MarcoPolo battens down the hatches to prepare me from those people interested in my SSH, my files or my Apache server.

It's a great thing really - but it should be easier. Here's hoping Apple considers some sort of Vista style automatic switching at some stage.