Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: firewall api

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: firewall api

Subject: Re: firewall api
From: Thomas Davie <email@hidden>
Date: Sat, 24 Jan 2009 08:08:01 +0100


On 24 Jan 2009, at 07:26, Chris Benedict wrote:

On Jan 23, 2009, at 2:13 AM, Andrew Farmer wrote:
On 22 Jan 09, at 14:38, Chris Benedict wrote:
First, I'm pretty new to Mac OS X programming so please bear with my ignorance.

I was hoping to get a bit of quick advice. I'm wanting to write a little application that will kind of put my MacBook in a lock down mode of sorts. It would need to block/ignore all network traffic except for an app or two when you hit a button and then deactivate when you hit another button to return to the original settings.

My question is whether or not there is a public API to interact with the built-in firewall on Mac OS X 10.5 or if I would need to interface with system preferences somehow and just setup the firewall to block all connections except for the one app that I want to allow through or if there is a completely different way to go about doing this. I found a program called Little Snitch which seems similar but way overkill for what I want to do and at first glance it looks like they do things with the drivers or something like that which honestly is above my head.
The built-in firewall is ipfw - the implementation on OS X is largely identical to the implementation in FreeBSD, so there's plenty of documentation online. I'm not aware of any specific API provided by Apple for managing the firewall, but the ipfw tool is probably good enough. Note that you'll need root privileges to use it.

The limit you're going to run into trying to write a tool like this is that you can't apply packet filters on a per-application level. The closest you can get is blocking packets which are addressed to specific ports, or which are destined for processes owned by specific users. Little Snitch accomplishes finer-grained restrictions by implementing a kernel extension; I do *NOT* recommend taking this approach unless you have a lot of spare time, and don't mind debugging kernel panics.
Thanks, I was hoping it would be that easy. I'm assuming that Apple implements the per-application access simply by detecting which port[s] an application wants to bind to and then allowing access to those ports? Or is it more involved than that? I ask purely out of curiosity because the application I'm wanting to allow to pass through uses static ports so I hopefully won't need to do that.

Uh, not that I have a useful answer to this question, but since leopard, the built in firewall has not been ipfw, it's been apple's custom application firewall. While ipfw is still useable, it's certainly not the built in one.

Bob
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden



References:  
  >firewall api (From: Chris Benedict <email@hidden>)
  >Re: firewall api (From: Andrew Farmer <email@hidden>)
  >Re: firewall api (From: Chris Benedict <email@hidden>)




Prev by Date:
Poof!  Recently-saved Core Data document suddenly gets dirty

Next by Date:
Re: Long load time of managed object context

Previous by thread:
Re: firewall api

Next by thread:
Looking for the "Use Family and Typeface" option in font panel in	IB 3

Index(es):

Date
Thread