On Sep 21, 2011, at 2:58 AM, Francois Gouget wrote: > Note also that the firewall will also ask whether to allow incoming > network access for some of the tests. I would really like information on > how to best deal with that.
That sounds like Mac OS X's application firewall which is Apple's primary firewall instead of a more traditional packet filtering firewall. The application firewall is based around which local applications and services are trusted to accept in-bound connections rather than which external sources are trusted to deliver packets. From a security standpoint, I'm not sure that's a good approach, but it is what it is. For what it's worth, Mac OS X still has ipfw or, with Lion, PF, so you can enable/configure that and disable the application firewall, if you want. You can disable the application firewall in System Preferences > Security > Firewall. There's no built-in GUI for enabling or configuring the packet filtering firewall, so you have to use the command line or third-party tools. Anyway, the application firewall is based on code-signing. The user's permission to allow a program to accept incoming connections is tied to the program's signature. If a program wasn't code-signed by its vendor, then the system will ad-hoc sign it. If a program changes in a way that invalidates its signature, then the past permission is ignored and the system asks again. For ad-hoc-signed programs, just about any change will invalidate its signature. Since regularly testing Wine entails constantly rebuilding it, the signature never survives for long and the system asks for permission with every new build. Regards, Ken
