RE: Adding ports to the firewall from an Installer?
RE: Adding ports to the firewall from an Installer?
- Subject: RE: Adding ports to the firewall from an Installer?
- From: "Huyler, Christopher M" <email@hidden>
- Date: Thu, 7 Aug 2003 10:18:13 -0400
- Thread-topic: macnetworkprog digest, Vol 3 #490 - 2 msgs
Thank you for responding.
I have just placed a bug report, Problem ID# :3367833.
I'm most concerned about changes made to the firewall after our application is up and running as well as during the install (since eTrust Antivirus is actually a service in addition to an application). For example, if the user goes to turn on file sharing and notices the firewall tab and decides to turn it on. Until they restart their computer or stop/start our service, they will have no communication with our admin server. In the event of a network-wide virus infection, this could be devastating. The same situation could apply to a MySQL database server that is running in the background.
For this reason I have added a request for some sort of call-back function to be provided to alert running applications. If an application registers a call-back for the firewall, when a change is made, the application would be given the opportunity to re-check for its port and alert the user if it is not found.
--__--__--
Message: 1
Date: Wed, 6 Aug 2003 09:24:47 +0100
To: email@hidden
From: Quinn <email@hidden>
Subject: RE: Adding ports to the firewall from an Installer?
At 9:47 -0400 4/8/03, Huyler, Christopher M wrote:
>
Imagine installing a piece of software on 200 machines in a computer
>
lab. Lets asume the IT person turned on the firewall on each one to
>
increase security, and now they want virus protection as well.
>
Would you want to open system preferences and add the necessary
>
ports to the firewall for every machine or would you rather not
>
think about it?
There is no supported API to add or modify firewall rules. Modifying
the ipfw in-kernel rules via setsockopt is unsupported because
there's no way to coordination your operation with our firewall
software. Modifying the firewall preferences is unsupported for the
same reason that modifying random preferences is always unsupported:
we can't guarantee binary compatibility.
Thus, for current systems (up to and including Panther), you're on
your own. You could implement one of the unsupported alternatives
described above but, before doing, so you should consider the binary
compatibility risks and weigh them against the user convenience.
Regardless, the situation you describe is a fine justification for a
new API. I've already filed a bug <rdar://problem/3320556>
requesting that we provide an API so that application vendors can
accurately determine whether their port is being blocked by the
firewall. My expected usage scenario was that an application vendor
would call this API when they start serving on a port, and warn the
user if the port was blocked by the firewall. However, this bug
doesn't cover the more advanced facilities that you need.
Please submit a bug report explaining your situation and what you need.
<
http://developer.apple.com/bugreporter/>
Let me know what the bug number is.
S+E
--
Quinn "The Eskimo!" <
http://www.apple.com/developer/>
Apple Developer Technical Support * Networking, Communications, Hardware
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.