0

Problem:

I want to remove the Screen Sharing app from the Firewall exceptions (but I can't see anyway to do this), so that port 5900 isn't exposed to the internet.

(I want to ONLY expose the SSH Server (22), and be able to tunnel port 5900 over an SSH connection.)

Context:

  • I'm currently running OSX 10.11.5 as an SSH server, in my DMZ (as a dev box).
  • Screen Sharing and Remote Login are enabled in my sharing preferences.
  • The firewall is enabled, which automatically add's these two services to the firewall exceptions.

Screenshot:

enter image description here

Related:

Addendum

Additionally, I just installed Jenkins (non-mac continuous-integration server). Now ports 8080 and ~49123 are open, but the application is not listed ANYWHERE in the Firewall options (screenshot) - so there is no way to block access to it via the firewall screen (I have not investigated PF yet).

Community
  • 1
Nick Grealy
  • 111
  • 4
  • Can't you click on "Screen Sharing" and then click the (-) sign underneath? Then also on the primary window (with the lock) you can click "Advanced" and you get a few more settings to customize. This setting is added because of the "Sharing & Groups" settings... – bourneN5years Jul 06 '16 at 14:57
  • Also, why not disable sharing so that it will just turn off the service, but leave on SSH? This is under "Sharing & Groups" in the main OSX System Preferences window. I can look further, but afaik if you block 5900, you won't be able to access it even by like forwarding a local port to it (as remote client). – bourneN5years Jul 06 '16 at 14:58
  • Are you are planning to use SSH to forward from the lo interface (like in the superuser link you posted? If so then, it would be interesting to see if you can convert the `iptables` to `pf` (like Ryder mentioned below), and if that will override what is in the Gui _Sharing..._ as well as _Firewall..._ – bourneN5years Jul 06 '16 at 15:11
  • @bourneN5years - Quite a few questions! The (-) sign is disabled and Screen Sharing cannot be selected. The screenshot IS the "advanced" screen (unless I'm missing something). If I disable the service, then the service will not be available, which is not my intention - I want the service to run, but restrict external access. Yes, I am planning to use SSH to forward from the lo iface. – Nick Grealy Jul 07 '16 at 00:14
  • 1
    I will look over my own firewall & sharing menus: In the version just before, there were more options when a service was enabled, and when in administrative mode (lock open, I mean), one was able to change the settings. – bourneN5years Jul 07 '16 at 00:21
  • are you logged in as an administrative account? I have a screenshot, will post if I can formulate a complete answer-- but my firewalls windows on 10.10 looks completely different, because it is split into 2 panes, in the lower pane you can, for sure do the "( - ) " option and remove access to screen-sharing, or as well, turn the specific daemon's off and on, mine lists currently emlog.pl (disabled), kdc, netbiosd, & sreensharing.d. – bourneN5years Jul 09 '16 at 15:56
  • how is this going? I experimented with this today, and am convinced, to do custom rules wtih `pf` as Ryder described below, may be the only way. On my test server, I could not pass through screensharing.d , with the GUI firewall on, at all. I will be using Pf a lot in the upcoming months and could provide a conversion of your tables if no one that already knows how, doesn't first. – bourneN5years Jul 15 '16 at 18:46

1 Answers1

0

You can use PF. It will be difficult, because you'll have to identify and turn off the dynamic rules which allow Screen Sharing to pass through, and override those settings.

I'm sorry I can't point you towards how to do this directly, but Apple's design puts a lot of effort into making their GUI available— it used to be impossible to administrate one of their boxes as a server otherwise, which is likely why this is still default behavior.

What I can point you to is this excellent description of Mac OS X's implementation of the BSD Packet Filter. Don't forget to check your /etc/pf.anchors — what you want is likely in there.

Ryder
  • 1,895
  • 1
  • 12
  • 13
  • 1
    @bourneN5years not having tested it myself, I assume he tried this already and the default behavior prevented turning this off— being the standard way of turning exceptions on and off. But you should ask Nick, not me. – Ryder Jul 06 '16 at 14:57
  • 1
    Yeah sorry I just realized that I'd written the comments on the answer not the question, cheers! I've moved them. – bourneN5years Jul 06 '16 at 14:59