Thursday, November 5, 2009

Xgrid: firewall can be on

I'm continuing with Xgrid (previous post) and trying to learn more about the firewall. Executive summary: it does not need to be off.

I have it set to "Automatically allow signed software ..." as shown in the screenshot:



The short example from the previous post works in this configuration.


sudo /usr/libexec/xgrid/xgridcontrollerd
sudo xgridctl controller start
sudo xgridctl controller status
sudo xgrid -h 127.0.0.1 -p <:password> -job submit /usr/bin/cal
sudo xgrid -h 127.0.0.1 -p <:password> -job results -id 0


(Note that after the "submit", you will receive a job id and should use that in the last step).

There is much more to say about the firewall. First, Apple is moving to controlling access on a per-Application basis rather than using ports. This makes a lot of sense. It's called the Application Firewall (here is a short blurb about it, and here is the latest addition to my reading list: Code Signing).

And it's evident in the screenshot. Using the + and - buttons, one can manually add an Application (if it is locatable in the finder) to the list of allowed applications. I have checked "Automatically allow."

By steps that I don't remember, in one of my tests I got an alert panel asking about xgridcontrollerd, the Xgrid Controller daemon:



which I answered "Allow" leading to the daemon being listed in the table, but it is not listed there now, and yet Xgrid is working.



I wish I could remember how I did this!

According to the doc (above)
You can even add command line applications to this list.

But it doesn't say how one would do this. It would be very useful to know how to emulate the + button from Terminal, since /usr and its subdirectories like /usr/libexec/xgrid/xgridcontrollerd are not visible from the Finder.

Also:
Earlier ipfw technology is still accessible from the command line (in Terminal) and the Application Firewall does not overrule rules set with ipfw; if ipfw blocks an incoming packet, the Application Firewall will not process it.

No comments: