Firewall locked you out of screensharing on OS X?

Posted on by

Sadly, I had this experience lately. Even though I had the firewall explicitly set to allow connections using Screen Sharing, for some reason my Mavericks OS X 10.9 server hiccuped and I couldn’t access it via screen sharing.

Here’s how I resolved my dilemma:

I was thankfully able connect via SSH; so I first checked to be sure the screensharing daemon was running:

ps -eaf|grep screensharing

It was. So, next I looked at the firewall log to see if it was blocking. Sure enough, it was:

$ tail -f /var/log/appfirewall.log 

Nov 13 15:52:26 my.server.com socketfilterfw[236] : dovecotd: Allow TCP CONNECT (in:1 out:0)
Nov 13 15:52:26 my.server.com socketfilterfw[236] : httpd: Allow TCP CONNECT (in:8 out:0)
Nov 13 15:52:26 my.server.com socketfilterfw[236] : master: Deny TCP CONNECT (in:3 out:0)
Nov 13 15:52:26 my.server.com socketfilterfw[236] : screensharingd: Deny TCP CONNECT (in:4 out:0)
Nov 13 15:52:56 my.server.com socketfilterfw[236] : dovecotd: Allow TCP CONNECT (in:2 out:0)
Nov 13 15:52:56 my.server.com socketfilterfw[236] : httpd: Allow TCP CONNECT (in:5 out:0)
Nov 13 15:52:56 my.server.com socketfilterfw[236] : awacsd: Allow TCP CONNECT (in:1 out:0)
Nov 13 15:52:56 my.server.com socketfilterfw[236] : screensharingd: Deny TCP CONNECT (in:4 out:0)

Boom, there it is. The firewall’s blocking screensharingd.

Next, I checked my firewall settings:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps

Oddly, there was no entry for screensharingd…

So, I added it:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/MacOS/screensharingd

I then checked firewall settings again, and saw that it was added and was set to allow incoming connections:

19 :  /System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/MacOS/screensharingd 
 	 ( Allow incoming connections )

If it were instead set to disallow incoming connections, I would have ran:

/usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/MacOS/screensharingd

Then, I restarted the firewall, noting these important caveats: You need to sudo the unload & load of the daemon (/System/Library/LaunchDaemons/com.apple.alf.agent.plist); otherwise it’ll try to unload & load them from the user launchd, which won’t work right. Do not, however, sudo the commands for the useragent:

launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist

Had I wanted to simply disable the firewall, I would have first issue the following command, and then restarted the services:

sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.