Skip to content

Commit a3a8447

Browse files
michaelklishinmichaelklishin
committed
Networking guide: mention MacOS Application Firewall
References rabbitmq/rabbitmq-server#1855
1 parent 511f74d commit a3a8447

File tree

1 file changed

+34
-0
lines changed

1 file changed

+34
-0
lines changed

site/networking.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,8 @@ There are several areas which can be configured or tuned. Each has a section in
4747
* Other TCP socket settings
4848
* [Proxy protocol](#proxy-protocol) support for client connections
4949
* Kernel TCP settings and limits (e.g. [TCP keepalives](#tcp-keepalives) and [open file handle limit](#open-file-handle-limit))
50+
* How to allow Erlang runtime to accept inbound connections
51+
when [MacOS Application Firewall](#firewalls-mac-os) is enabled
5052

5153
This guide also covers a few topics closely related to networking:
5254

@@ -1205,3 +1207,35 @@ See [Connection Lifecycle Events](/logging.html#connection-lifecycle-events) in
12051207

12061208
A methodology for [troubleshooting of networking-related issues](/troubleshooting-networking.html)
12071209
is covered in a separate guide.
1210+
1211+
1212+
## <a id="firewalls-mac-os" class="anchor" href="#firewalls-mac-os">MacOS Application Firewall</a>
1213+
1214+
On MacOS systems with [Application Firewall](https://support.apple.com/en-us/HT201642) enabled,
1215+
Erlang runtime processes must be allowed to bind to ports and accept connections.
1216+
Without this, RabbitMQ nodes won't be able to bind to their [ports](#ports) and will fail to start.
1217+
1218+
A list of blocked applications can be seen under `Security and Privacy` => `Firewall` in system settings.
1219+
1220+
To "unblock" a command line tool, use `sudo /usr/libexec/ApplicationFirewall/socketfilterfw`.
1221+
The examples below assume that Erlang is installed under `/usr/local/Cellar/erlang/{version}`,
1222+
used by the Homebrew Erlang formula:
1223+
1224+
<pre class="lang-bash">
1225+
# allow CLI tools and shell to bind to ports and accept inbound connections
1226+
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/local/Cellar/erlang/{version}/lib/erlang/bin/erl
1227+
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /usr/local/Cellar/erlang/{version}/lib/erlang/bin/erl
1228+
</pre>
1229+
1230+
<pre class="lang-bash">
1231+
# allow server nodes (Erlang VM) to bind to ports and accept inbound connections
1232+
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/local/Cellar/erlang/{version}/lib/erlang/erts-{erts version}/bin/beam.smp
1233+
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /usr/local/Cellar/erlang/{version}/lib/erlang/erts-{erts version}/bin/beam.smp
1234+
</pre>
1235+
1236+
Note that `socketfilterfw` command line arguments can vary between MacOS releases.
1237+
To see supports command line arguments, use
1238+
1239+
<pre class="lang-bash">
1240+
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --help
1241+
</pre>

0 commit comments

Comments
 (0)