1

On 10.6.8, if you have both Screen Sharing and Firewall turned on, port 5900 is automatically opened in the firewall. This is bad, because I want to access that port via ssh port forwarding and not allow it open to the world.

When I go into Sharing, Computer Settings there's nothing, and in the Advanced... Firewall settings I can't disallow incoming connections for "Screen Sharing".

I can also connect directly to the machine with VNC and port 5900.

Anyone know how to fix this problem?

Solution is:

ipfw -f flush
ipfw add 10000 allow ip from any to any via lo0
ipfw add 20000 deny ip from any to any dst-port 5900 in

After the above, I can access port 5900 via port forwarding, but not directly from outside the machine.

Improve this question
1

1 Answer 1

Reset to default
1

You might be able to override it by adding your own ipfw firewall rule to block port 5900. Start with man ipfw and go from there.

Improve this answer
3
  • I expected "ipfw -a list" to show the current state of the firewall, but apparently the Firewall app doesn't use ipfw. Weird.
    – e40
    Commented Feb 25, 2012 at 22:47
  • @e40 You're right, the default "application firewall" doesn't use ipfw. I think the strict firewall still did in Snow Leopard though. And when you go to Lion or Mountain Lion, you'll discover that ipfw has been deprecated in favor of pf.
    – Spiff
    Commented Feb 25, 2012 at 23:20
  • Crikey! I'll have to read up on pf. Thanks.
    – e40
    Commented Feb 26, 2012 at 2:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .