<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Aug 28, 2020, at 3:47 PM, Jed Brown <<a href="mailto:jed@jedbrown.org" class="">jed@jedbrown.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">"Hapla Vaclav" <<a href="mailto:vaclav.hapla@erdw.ethz.ch" class="">vaclav.hapla@erdw.ethz.ch</a>> writes:<br class=""><br class=""><blockquote type="cite" class="">On MacOS, maybe you also have lots of firewall popups appearing/disappearing when running tests like<br class=""> Do you want the application "ex29" to accept incoming network connections?<br class=""></blockquote><br class="">Is there a way to express that the application does not need (should not accept) incoming connections?<br class=""></div></div></blockquote><div><br class=""></div><div> Yes, this also seems to work:</div><div><br class=""></div><div>sudo $$FW --block $$APP</div><div><br class=""></div><div>instead of </div><div><br class=""></div><div>sudo $$FW --unblock $$APP</div><div><br class=""></div><div>The parallel program still runs correctly to conclusion without the popup. </div><div><br class=""></div><div> So my conclusion is that at listen() or some later system call it always pops up the window (unless the user as already blocked or unblocked the executable) without regard to whether an outside (from the machine) connection to the process is attempted. </div><div><br class=""></div><div> The routine has an undocumented option -a <listen or accept> when you run with </div><div><br class=""></div><div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">/usr/libexec/ApplicationFirewall/socketfilterfw -d -a accept</span></div></div><div><br class=""></div>it prints <span style="font-family: Menlo; font-size: 14px;" class="">ASKWHENACCEPT</span><span style="font-family: Menlo; font-size: 14px;" class=""> which seems to indicate it will delay the popup until an accept is called but I can't confirm this because the debugger never stops in accept on one process but the popup still comes up so this argument may be ignored.</span></div><div><font face="Menlo" class=""><span style="font-size: 14px;" class=""><br class=""></span></font></div><div><font face="Menlo" class=""><span style="font-size: 14px;" class="">If I were Junchao I would not do the popup until the code tried to accepted an EXTERNAL connection (the lazy evaluation) but I cannot get it to behave this way. </span></font></div><div><font face="Menlo" class=""><span style="font-size: 14px;" class=""><br class=""></span></font></div><div><font face="Menlo" class=""><span style="font-size: 14px;" class="">If I disconnect from the network I still get the popups. </span></font></div><div><font face="Menlo" class=""><span style="font-size: 14px;" class=""><br class=""></span></font></div><div><font face="Menlo" class=""><span style="font-size: 14px;" class="">The pop up is asynchronous also, when the popup is still up the program keeps run (even in parallel) and ends normally. Then the popup disappears. </span></font></div><div><font face="Menlo" class=""><span style="font-size: 14px;" class=""><br class=""></span></font></div><div><font face="Menlo" class=""><span style="font-size: 14px;" class=""> Apple could make this friendly without hurting security but then Apple never cared about external developers for the Mac.</span></font></div><div><font face="Menlo" class=""><span style="font-size: 14px;" class=""><br class=""></span></font></div><div><font face="Menlo" class=""><span style="font-size: 14px;" class=""><br class=""></span></font><blockquote type="cite" class=""><div class=""><div class=""><br class="">Normalizing sudo during build/testing seems really bad.<br class=""></div></div></blockquote></div><br class=""></body></html>