Re: firewall api
Re: firewall api
- Subject: Re: firewall api
- From: Thomas Davie <email@hidden>
- Date: Sat, 24 Jan 2009 08:08:01 +0100
On 24 Jan 2009, at 07:26, Chris Benedict wrote:
On Jan 23, 2009, at 2:13 AM, Andrew Farmer wrote:
On 22 Jan 09, at 14:38, Chris Benedict wrote:
First, I'm pretty new to Mac OS X programming so please bear with
my ignorance.
I was hoping to get a bit of quick advice. I'm wanting to write a
little application that will kind of put my MacBook in a lock down
mode of sorts. It would need to block/ignore all network traffic
except for an app or two when you hit a button and then deactivate
when you hit another button to return to the original settings.
My question is whether or not there is a public API to interact
with the built-in firewall on Mac OS X 10.5 or if I would need to
interface with system preferences somehow and just setup the
firewall to block all connections except for the one app that I
want to allow through or if there is a completely different way to
go about doing this. I found a program called Little Snitch which
seems similar but way overkill for what I want to do and at first
glance it looks like they do things with the drivers or something
like that which honestly is above my head.
The built-in firewall is ipfw - the implementation on OS X is
largely identical to the implementation in FreeBSD, so there's
plenty of documentation online. I'm not aware of any specific API
provided by Apple for managing the firewall, but the ipfw tool is
probably good enough. Note that you'll need root privileges to use
it.
The limit you're going to run into trying to write a tool like this
is that you can't apply packet filters on a per-application level.
The closest you can get is blocking packets which are addressed to
specific ports, or which are destined for processes owned by
specific users. Little Snitch accomplishes finer-grained
restrictions by implementing a kernel extension; I do *NOT*
recommend taking this approach unless you have a lot of spare time,
and don't mind debugging kernel panics.
Thanks, I was hoping it would be that easy. I'm assuming that Apple
implements the per-application access simply by detecting which
port[s] an application wants to bind to and then allowing access to
those ports? Or is it more involved than that? I ask purely out of
curiosity because the application I'm wanting to allow to pass
through uses static ports so I hopefully won't need to do that.
Uh, not that I have a useful answer to this question, but since
leopard, the built in firewall has not been ipfw, it's been apple's
custom application firewall. While ipfw is still useable, it's
certainly not the built in one.
Bob
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden