MarcK

Update 2: If you block the UDP 3283 port on your own management ARD system then you will not be able to see the status of machines that are not in allow range of IPs. For example a client machine is on subnet 10.0.2.0/24 and allows ARD connections to it from 10.0.1.0/24. If you are blocking the UDP port on your management machine you will not see the status of the machines on the 10.0.2 subnet. Your management machine needs to allow the udp traffic from your client machines in to it.

UPDATE: With further testing this isn’t working as expected. I’ll leave it up as a starting place and update later when I’ve got it working right.

This is a very simplified explanation of Mac Firewalls and using the PF (packet filter) to allow certain IP address to access specific services on your Mac, like SSH and Apple Remote Desktop.

A Mac has two firewall systems, the Application Firewall (ALF) and the Packet Filter firewall (PF)

ALF can be tuned on in the GUI in System Preferences > Security & Privacy or from the command line. When ALF is on connections to the Mac from outside systems are blocked by default unless an application has told ALF to allow the connection. When you turn on Remote Login this allows incoming connections to SSH, port 22. There is no GUI to limit SSH access to a particular IP range. PF is the tool needed to limit connections to a particular port from an IP range.

PF can manipulate virtually any packet data. Tools like Host files and TCP Wrappers are not effective on modern macOS systems. Using PF to allow connections from a small range of IPs to a few ports on your Mac is about like using a freight company to deliver pizza. It’s fairly complicated but can be done. PF has the ability to turn a system into a router and is a very very powerful tool. It even has the ability to limit access to your system by connecting OS type.

Some guides you will want to review

• Command Line Firewall Management In OS X 10.10
• A Cheat Sheet For Using pf in OS X Lion and Up
• A Beginner’s Guide To Firewalling with pf
• OpenBSD PF – Shortcuts For Creating Rulesets
• PF on Mac OS X
• OS X Fortress

You will likely find other references. Also check out the GUI apps Murus and IceFloor. I find both of these tools to be overly complex for the rather simple firewall tasks I need to do. If you have more complex needs these tools are very useful and they can help you figure out how the firewall system works.

The file structure

/etc/pf.conf – this is the main rule file which can reference other files or you can load it up with all the setting you need.

/etc/pf.anchors/ – files in this directory are referenced from pf.conf. Anchor files appear to follow the naming convention of “com.companyname”.

You can put reference files anywhere in the system that PF has access to read. Your custom lists could be in /Library/Preferences//pf/. This follows Apple conventions for 3rd party additions to the system.

Simple example

This simple example will limit access to SSH and Apple Remote Desktop from a range of IP addresses. This may help you get started. Most examples I’ve found on line assume you are using PF for a server not a desktop system.

The following is the default pf.conf file with the custom additions.

#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#

#
# com.apple anchor point
#
pflog_logfile="/var/log/pflog"
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"


### START Custom Rules ###

ARD_tcp = "{ 3283 5900 5988 }"
ARD_udp = "{ 3283 }"

AllowedIn = "{ 192.168.0.0/24, 192.168.1.0/24 }"

block return in proto tcp from any to any port 22
block return in proto tcp from any to any port \$ARD_tcp

block return in proto udp from any to any port \$ARD_udp

pass in inet proto tcp from <AllowedIn> to any port 22 no state
pass in inet proto tcp from <AllowedIn> to any port \$ARD_tcp no state

pass in inet proto udp from <AllowedIn> to any port \$ARD_udp no state

### END Custom Rules ###

You may or may not know about the ditto command on OS X. Ditto will duplicate “all” data from one location to another. This includes permissions, metadata, and hidden ‘dot’ files.

Lets say I want to copy everything from /Users/username1 to /Users/username2 but the directory “username2” does not exist.

With ditto you use this command:
sudo ditto /Users/username1 /Users/username2

This will create the username2 directory then copy all the contents into it. If you were to use the command with out username2 as the destination. The contents of username1 would be copied into /Users making a mess of things.

You could have created the directory username2 then copied everything into it but then you wouldn’t get the permissions transfer to the username2 directory its self.

This is the perfect option for changing a username of a user on a Mac. Once you have copied everything from one username to another you can use the regular account creation tools in System Preference to now create a user for User Name2 with the short name username2. The Mac will now ask you if you want to use the existing folder for the new users home. Just say yes and you have a new user account using the same data that was in the old one. You can now delete the old user account and recover the space.

There is significantly more you can do with ditto but that covers most of what I’ve ever needed it for.

In OS X for several years now you could right click a file of folder on the desktop and select Archive or Compress and create a .zip archive. When you do this it’s more like creating a PKZip archive and all contents of the directory, in this case, are compressed. This includes meta data and .DS_Store files and probably a few other things I don’t know about. If you use the command line ‘unzip -l file.zip’ to list the contents of a Mac compressed file you will see something like this.

$ unzip -l folder.zip
Archive: /Users/me/Desktop/folder.zip
Length Date Time Name
-------- ---- ---- ----
0 06-21-13 11:16 Folder of stuff/
6148 06-21-13 11:15 Folder of stuff/.DS_Store
0 06-21-13 11:16 __MACOSX/
0 06-21-13 11:16 __MACOSX/Folder of stuff/
82 06-21-13 11:15 __MACOSX/Folder of stuff/._.DS_Store
104314 06-21-13 11:16 Folder of stuff/Lorem Ipsum.docx
82 06-21-13 11:16 __MACOSX/Folder of stuff/._Lorem Ipsum.docx
52064 07-01-10 15:19 Folder of stuff/man.jpg
11 06-21-13 11:16 Folder of stuff/Testfiles.txt
171 06-21-13 11:16 __MACOSX/Folder of stuff/._Testfiles.txt
10538 03-06-11 11:14 Folder of stuff/Untitled-1.jpg
-------- -------
173410 11 files

Note all of the “__MACOSX” directories. If you were to use the standard unzip command to extract the .zip you will get a directory named “__MACOSX” as well as your unarchived directory. Your newly unzipped directory does not contain any meta data or hidden resource files that may be necessary for some files to function properly. So how do you resolve this issue from the command line?

ditto to the rescue
If you don’t know the ‘ditto’ command and you manage Macs you should get to know it it’s fantastic for moving files and apparently even for archiving them. Check out the man page for ditto and you will get a number of useful examples. Until recently I didn’t know you could use the command for archiving files. Here is what the man page says about compression

The command:
ditto -c -k --sequesterRsrc --keepParent src_directory archive.zip
will create a PKZip archive similarly to the Finder's Compress functionality.

So in my example you could do the following to compress the “folder” directory.

ditto -c -k --sequesterRsrc --keepParent /Users/me/Desktop/folder /Users/me/Desktop/folder.zip

To extract folder.zip do this.

ditto -x -k /Users/me/Desktop/folder.zip /Users/me/Desktop

This will extract the archive and create a folder on the desktop named “folder”. It will replace anything with the same file/folder names or add items if names have changed.

Why is this important. You can use the command line to archive and extract anything including user directories and preserve ACLs and other meta data info. Much better than using zip.

Ditto has other quarks you should know about so read the man page and the examples then experiment before using it.

I recently found the need to be able to turn on SSH access for only a certain user. The idea is to have an unprivileged user enabled for SSH so that Apple Remote Desktop can have its traffic wrapped in an SSH tunnel. For details see the Apple Remote Desktop 3.2 – Administrator’s Guide page 83. Using the unprivileged user is only one small part of trying to make the system reasonably secure while still allowing you to admin the systems remotely. You still need to set firewall rules and a few other things.

At least sense 10.6.8 Apple has been using two access groups in the local LDAP to control access to the SSH service. When you first setup a system and haven’t touched the Remote Login settings there are no access control groups for SSH in /Local/Default/Groups. If you turn on SSH you will get com.apple.access_ssh. If you limit who can login to SSH those users are added to the access group by the system. To enable SSH with a single user you would thing you can create the access group and add users using dseditgroup. That would work for a fresh system but if you have ever enabled then disabled SSH you will have a com.apple.access_ssh-disabled group. Changing SSH access in the GUI is easy and the system removes and adds these groups for you and you can watch all of it happen using dscl then list the contents of /Local/Default/Groups as you make changes.

The following is my shell script remove the groups, add the right group, add a user to the to that group and turn on ssh. Maybe this will help someone.

#!/bin/sh

# script to enable a particular user of SSH of OS X systems
# Marc Kerr https://marckerr.com 5/31/13
# Use this as you like. No guarantees

USERNAME="somebody"

# Check that root is running the script otherwise nothing works
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# Disable SSH to start with regardless of if it's on.
systemsetup -setremotelogin off

# Delete all associated SSH groups to start fresh. 
# Whether the groups exist or not they will be removed.
for group in com.apple.access_ssh-disabled com.apple.access_ssh
do
	dseditgroup -o delete -q $group
done

# now we can create the access group and add the user(s)
dseditgroup -o create -q com.apple.access_ssh
deseditgroup -o create -q $USERNAME -t user com.apple.access_ssh

# Turn SSH back on
systemsetup -setremotelogin on

exit 0

Here is a script I’ve pieced together to create a hidden user on OS X as a Standard user then set that user with ARD privileges. Not giving the user admin privileges really doesn’t protect from an ARD hack or someone with the password to that user because the ARD agent on the client machine will run remote commands as root. It would prevent a “Screen Sharing” user from doing anything as an admin.

#!/bin/sh

# This script will let you create a hidden standard user with any short name you want
# to get a username and password prompt use Option + down arrow then Command + Return
# This script is based on several sources:
# http://support.apple.com/kb/HT5017?viewlocale=en_US
# http://apple.stackexchange.com/questions/82472/what-steps-are-needed-to-create-a-new-user-from-the-command-line-on-mountain-lio
# http://www.tonymacx86.com/mac-os-x-support/87058-guide-how-make-hidden-admin-account-mac-osx.html
# http://support.apple.com/kb/ht2370
# This standard user is given Apple Remote Desktop access. 


# For interactivity use the following
# Set the variable USERNAME
echo "Enter the Username of the account you want to create."
read USERNAME

echo "Enter the Pass Phrase of the account you want to create."

# Get settings for terminal then disable echo to hide typing of the password
oldmodes=`stty -g`
stty -echo

#This will make the variable PASSWORD
read PASSWORD

#sets term back to its original settings
stty $oldmodes

# If you dont' want interactivity comment out the previous and use these commands
# USERNAME="username"
# PASSWORD="User a passphrase"

#This makes the account and puts it into the admin group
dscl . create /Users/$USERNAME 
dscl . create /Users/$USERNAME UniqueID 405
dscl . create /Users/$USERNAME PrimaryGroupID 20
dscl . create /Users/$USERNAME NFSHomeDirectory /private/var/$USERNAME
dscl . create /Users/$USERNAME UserShell /bin/bash
# because we are using a passphrase the variable needs to be in quotes.
dscl . passwd /Users/$USERNAME "$PASSWORD"
	

### Enable ARD
# Set ARD for a specific user with specific access privileges
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \
-activate -configure -access -on -users $USERNAME \
-privs -DeleteFiles -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings

# you must also set the specifiedUsers option to limit access to the individual user
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \
-configure -allowAccessFor -specifiedUsers -restart -agent -menu

 
# Users with a UID less than 500 will be hidden with this
 defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE

# This makes the account hidden
 defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array $USERNAME

# This makes the Other in the login window dissapear
 defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE

# Create the users home directory 
 createhomedir -c -u $USERNAME

exit 0 

I may try to post more regularly here. I’ve got a new job doing Apple system administration etc. So I’ll be able to do more technical things than I have in the past. Less advising how to do thing and more actual doing.