Firewall prompt on OSX: Do you want the application “beam.smp” to accept incoming network connections?

rabbitmq / rabbitmq-server

Open source RabbitMQ: core server and tier 1 (built-in) plugins

https://www.rabbitmq.com/

Other

12.04k stars 3.9k forks source link

Firewall prompt on OSX: Do you want the application “beam.smp” to accept incoming network connections? #1855

Closed sluramod closed 5 years ago

sluramod commented 5 years ago

For Those Landing Here from Google, Baidu, etc

See this doc section on how to white list RabbitMQ node processes with the macOS firewall.

Original Issue

I keep getting the following prompt:

Do you want the application “beam.smp” to accept incoming network connections?

Regardless of which option I choose (Accept or Deny), I will keep getting the same prompt every few minutes.

RabbitMQ version 3.7.10
Erlang version 21.2.4
RabbitMQ plugin information via rabbitmq-plugins list [E] rabbitmq_amqp1_0 3.7.10 [E] rabbitmq_management 3.7.10 [e] rabbitmq_management_agent 3.7.10 [E] rabbitmq_mqtt 3.7.10 [E] rabbitmq_stomp 3.7.10 [e] rabbitmq_web_dispatch 3.7.10
Client library version (for all libraries used)
Operating system, version, and patch level MacOS Mojave 10.14.2
Configuration Default using homebrew

michaelklishin commented 5 years ago

Thank you for your time.

Team RabbitMQ uses GitHub issues for specific actionable items engineers can work on. GitHub issues are not used for questions, investigations, root cause analysis, discussions of potential issues, etc (as defined by this team).

We get at least a dozen of questions through various venues every single day, often light on details. At that rate GitHub issues can very quickly turn into a something impossible to navigate and make sense of even for our team. Because GitHub is a tool our team uses heavily nearly every day, the signal/noise ratio of issues is something we care about a lot.

Please post this to rabbitmq-users.

Thank you.

michaelklishin commented 5 years ago

Since Erlang doesn't have an application to add in the UI, an exception must be added using /usr/libexec/ApplicationFirewall/socketfilterfw --add /path/to/bin/erl.

michaelklishin commented 5 years ago

man socketfilterfw is scarce on details but looks like to whitelist an executable it has to be added then unblocked:

/usr/libexec/ApplicationFirewall/socketfilterfw --add /path/to/bin/erl
/usr/libexec/ApplicationFirewall/socketfilterfw --unblock /path/to/bin/erl

Some threads suggest that if a service binds to localhost only, its traffic is always allowed. See RabbitMQ Networking guide to find out how to do that.

sluramod commented 5 years ago

For those experiencing this problem: make sure you use path to erl executable, not symlink. In case of homebrew it will be in /usr/local/Cellar/erlang/<version>/lib/erlang/bin/erl otherwise you will get The application is not part of the firewall message at --unblock step:

/usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/local/Cellar/erlang/<version>/lib/erlang/bin/erl
/usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/local/Cellar/erlang/<version>/lib/erlang/bin/erl

scuml commented 4 years ago

Needed --unblockapp on my machine running OS 10.14 ...

/usr/libexec/ApplicationFirewall/socketfilterfw --add  /usr/local/Cellar/erlang/<version>/lib/erlang/bin/erl
/usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp  /usr/local/Cellar/erlang/<version>/lib/erlang/bin/erl

michaelklishin commented 4 years ago

We will add this to the docs, although it looks like socketfilterfw remains scarcely documented and keeps changing the arguments it supports from macOS version to version.

adimittal commented 4 years ago

I was able to see the beam.smp as blocked in Security and Privacy => Firewall settings. Running the following command unblocked it for me.

$ /usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/local/Cellar/erlang/21.2.4/lib/erlang/erts-10.2.3/bin/beam.smp

Incoming connection to the application is permitted

Update for newer version: $ /usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/local/Cellar/erlang/23.1.2/lib/erlang/erts-11.1.2/bin/beam.smp

mousomer commented 4 years ago

Thanks, @adimittal . That was helpful.

michaelklishin commented 4 years ago

I have added a new doc section to the Networking guide. Further clarifications are welcome in pull requests.

blowfishpro commented 1 year ago

Did anyone ever figure out what's actually trying to listen for inbound connections? I adjusted RabbitMQ's configuration settings so that it's only listening on the loopback interfaces (127.0.0.1 and ::1) and confirmed via lsof that this worked but I still get these pop-ups, and it often seems to have no relation to when I restart RabbitMQ.

michaelklishin commented 1 year ago

epmd listens for inbound connections from both remote nodes and the local one.

blowfishpro commented 1 year ago

I'm not seeing that:

$ lsof -a -i -p 3249
COMMAND  PID       USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
epmd    3249 <username>    3u  IPv4 0x2339b3799a215e4d      0t0  TCP localhost:epmd (LISTEN)
epmd    3249 <username>    4u  IPv6 0x2339b37e6a9ccdc5      0t0  TCP localhost:epmd (LISTEN)
epmd    3249 <username>    5u  IPv6 0x2339b37e6a9c5dc5      0t0  TCP localhost:epmd->localhost:57908 (ESTABLISHED)

(I believe I also specifically configured epmd to only listen on localhost here)

The pop-up (and all the console messages I can find around this) also specifically reference beam.smp and it looks like epmd is an entirely different executable.