From 504eda835f8d4d1f92ff60909d62680d9340fa2a Mon Sep 17 00:00:00 2001
From: Tw93 <tw93@qq.com>
Date: Sun, 28 Dec 2025 09:39:53 +0800
Subject: [PATCH] fix: Update firewall management to use `socketfilterfw` for
 improved reliability on macOS.

---
 bin/optimize.sh       | 3 +--
 lib/check/all.sh      | 6 +++---
 lib/manage/autofix.sh | 2 +-
 tests/autofix.bats    | 1 +
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/bin/optimize.sh b/bin/optimize.sh
index 6ee0c97..260f4ac 100755
--- a/bin/optimize.sh
+++ b/bin/optimize.sh
@@ -260,8 +260,7 @@ ask_for_security_fixes() {
 }
 
 apply_firewall_fix() {
-    if sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1; then
-        sudo pkill -HUP socketfilterfw 2> /dev/null || true
+    if sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on > /dev/null 2>&1; then
         echo -e "  ${GREEN}${ICON_SUCCESS}${NC} Firewall enabled"
         FIREWALL_DISABLED=false
         return 0
diff --git a/lib/check/all.sh b/lib/check/all.sh
index d8dd877..be8ff3b 100644
--- a/lib/check/all.sh
+++ b/lib/check/all.sh
@@ -113,10 +113,10 @@ check_filevault() {
 check_firewall() {
     # Check whitelist
     if command -v is_whitelisted > /dev/null && is_whitelisted "firewall"; then return; fi
-    # Check firewall status
+    # Check firewall status using socketfilterfw (more reliable than defaults on modern macOS)
     unset FIREWALL_DISABLED
-    local firewall_status=$(defaults read /Library/Preferences/com.apple.alf globalstate 2> /dev/null || echo "0")
-    if [[ "$firewall_status" == "1" || "$firewall_status" == "2" ]]; then
+    local firewall_output=$(sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2> /dev/null || echo "")
+    if [[ "$firewall_output" == *"State = 1"* ]] || [[ "$firewall_output" == *"State = 2"* ]]; then
         echo -e "  ${GREEN}✓${NC} Firewall     Network protection enabled"
     else
         echo -e "  ${YELLOW}${ICON_WARNING}${NC} Firewall     ${YELLOW}Network protection disabled${NC}"
diff --git a/lib/manage/autofix.sh b/lib/manage/autofix.sh
index 928e1f7..4f333ae 100644
--- a/lib/manage/autofix.sh
+++ b/lib/manage/autofix.sh
@@ -132,7 +132,7 @@ perform_auto_fix() {
     # Fix Firewall
     if [[ -n "${FIREWALL_DISABLED:-}" && "${FIREWALL_DISABLED}" == "true" ]]; then
         echo -e "${BLUE}Enabling Firewall...${NC}"
-        if sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1 2> /dev/null; then
+        if sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on > /dev/null 2>&1; then
             echo -e "${GREEN}✓${NC} Firewall enabled"
             ((fixed_count++))
             fixed_items+=("Firewall enabled")
diff --git a/tests/autofix.bats b/tests/autofix.bats
index 546da29..b2f34ef 100644
--- a/tests/autofix.bats
+++ b/tests/autofix.bats
@@ -76,6 +76,7 @@ sudo() {
             echo "Installing Rosetta 2 stub output"
             return 0
             ;;
+        /usr/libexec/ApplicationFirewall/socketfilterfw) return 0 ;;
         *) return 0 ;;
     esac
 }