<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 29 Aug 2020, at 05:44, Satish Balay via petsc-dev <<a href="mailto:petsc-dev@mcs.anl.gov" class="">petsc-dev@mcs.anl.gov</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">Likely firewall is disabled.<br class="">
<br class="">
I've recently rebuild a bunch of boxes - and don't remember explicity disabling firewall. [well I did something to enable ssh - maybe that was disabling firewall]<br class="">
<br class="">
I see the firewall is disabled on all of them<br class="">
<br class="">
balay@ypro ~ % defaults read /Library/Preferences/com.apple.alf globalstate<br class="">
0<br class="">
balay@ypro ~ % <br class="">
<br class="">
Ref: <a href="https://raymii.org/s/snippets/OS_X_-_Turn_firewall_on_or_off_from_the_command_line.html" class="">
https://raymii.org/s/snippets/OS_X_-_Turn_firewall_on_or_off_from_the_command_line.html</a><br class="">
<br class="">
BTW: Perhaps the following setting will prevent popups? [but it might break stuff that need network?]<br class="">
<br class="">
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 2<br class="">
</div>
</div>
</blockquote>
<div><br class="">
</div>
<div>2 = on for essential services</div>
<div><br class="">
</div>
<div><a href="https://discussions.apple.com/thread/3148672" class="">https://discussions.apple.com/thread/3148672</a></div>
<div><br class="">
</div>
<div>So I don't think that's an option for normal people - I don't think anybody is keen to limit the network functionality on their laptop (e.g. disable Spotify) just for sake of PETSc testing.</div>
<div><br class="">
</div>
<div>So I still think the automated targeted firewall rules I propose are better for most guys. The question is how much automated solution we want to offer.</div>
<div><br class="">
</div>
<div>Vaclav</div>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div class=""><br class="">
Satish<br class="">
<br class="">
On Fri, 28 Aug 2020, Matthew Knepley wrote:<br class="">
<br class="">
<blockquote type="cite" class="">Which OS is this? It does not happen on my Catalina.<br class="">
<br class="">
Thanks,<br class="">
<br class="">
Matt<br class="">
<br class="">
On Fri, Aug 28, 2020 at 10:52 PM Barry Smith <<a href="mailto:bsmith@petsc.dev" class="">bsmith@petsc.dev</a>> wrote:<br class="">
<br class="">
<blockquote type="cite" class=""><br class="">
<br class="">
On Aug 28, 2020, at 3:47 PM, Jed Brown <<a href="mailto:jed@jedbrown.org" class="">jed@jedbrown.org</a>> wrote:<br class="">
<br class="">
"Hapla Vaclav" <<a href="mailto:vaclav.hapla@erdw.ethz.ch" class="">vaclav.hapla@erdw.ethz.ch</a>> writes:<br class="">
<br class="">
On MacOS, maybe you also have lots of firewall popups<br class="">
appearing/disappearing when running tests like<br class="">
Do you want the application "ex29" to accept incoming network connections?<br class="">
<br class="">
<br class="">
Is there a way to express that the application does not need (should not<br class="">
accept) incoming connections?<br class="">
<br class="">
<br class="">
Yes, this also seems to work:<br class="">
<br class="">
sudo $$FW --block $$APP<br class="">
<br class="">
instead of<br class="">
<br class="">
sudo $$FW --unblock $$APP<br class="">
<br class="">
The parallel program still runs correctly to conclusion without the popup.<br class="">
<br class="">
So my conclusion is that at listen() or some later system call it always<br class="">
pops up the window (unless the user as already blocked or unblocked the<br class="">
executable) without regard to whether an outside (from the machine)<br class="">
connection to the process is attempted.<br class="">
<br class="">
The routine has an undocumented option -a <listen or accept> when you run<br class="">
with<br class="">
<br class="">
/usr/libexec/ApplicationFirewall/socketfilterfw -d -a accept<br class="">
<br class="">
it prints ASKWHENACCEPT which seems to indicate it will delay the popup<br class="">
until an accept is called but I can't confirm this because the debugger<br class="">
never stops in accept on one process but the popup still comes up so this<br class="">
argument may be ignored.<br class="">
<br class="">
If I were Junchao I would not do the popup until the code tried to<br class="">
accepted an EXTERNAL connection (the lazy evaluation) but I cannot get it<br class="">
to behave this way.<br class="">
<br class="">
If I disconnect from the network I still get the popups.<br class="">
<br class="">
The pop up is asynchronous also, when the popup is still up the program<br class="">
keeps run (even in parallel) and ends normally. Then the popup disappears.<br class="">
<br class="">
Apple could make this friendly without hurting security but then Apple<br class="">
never cared about external developers for the Mac.<br class="">
<br class="">
<br class="">
<br class="">
Normalizing sudo during build/testing seems really bad.<br class="">
<br class="">
<br class="">
<br class="">
</blockquote>
<br class="">
<br class="">
</blockquote>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</body>
</html>