• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Panther and Firewall API?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Panther and Firewall API?

  • Subject: Re: Panther and Firewall API?
  • From: "Huyler, Christopher M" <email@hidden>
  • Date: Tue, 2 Sep 2003 09:37:45 -0400
  • Thread-topic: Re: Panther and Firewall API?
>This gives me the creeps. A firewall is a personal thing to a security
>minded person, and other than firewall programs, I don't think any
>other program should be messing with the firewall. And as a firewall
>rule writer you have to worry about not stomping on anybody's rules,
>not just Apple's...iChat may want port 5298 open, but the administrator

>may want it closed.

>Of course if Apple can come up with an API that's (a) safe (e.g.
>requires root priveleges, so it's no more harmful then ipfw flush when
>executed by the administrator), (b) uses an Apple supplied GUI to
>prompt the user before making changes and (b) doesn't work unless
>Apple's firewall is enabled, then I'm all for this feature. Otherwise,
>I'd say stay the heck away from my firewall. At least that's my two
>cents.

At the very least, there should be an API to allow a program to
determine whether the firewall is on and a specified port is open, and
possibly a callback to alert a program if its state has changed.
Requiring root privileges for any more functionality would be a must.

I am in strong favor of any kind of API because from an everyday user's
point of view, a firewall is a set-and-forget kind of thing. On top of
that, the concept of ports and sockets is very complex and they may not
understand what it means to open a port on the firewall. I (as a user)
would rather see a software installer prompt me (with password
verification) asking if I want it to configure my firewall than end up
calling support when I can't get the product to work...or worse turning
off the firewall altogether because I didn't know how to configure it.

I ran into this problem only by accident when my supervisor had turned
it on and I couldn't figure out why our product wasn't working correctly
on his machine. Our enterprise virus solution discovers machines on the
network using udp but manages them using tcp. I could discover but not
manage.

For those of you who are paranoid about security, you should consider
another firewall to protect yourself because the built-in firewall is
severely limited by its gui. In fact, can you think of a situation
where this firewall will actually protect you? I personally think the
best use of a firewall is to block outgoing traffic, something the apple
firewall doesn't do.

--
Christopher Huyler
Computer Associates
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.
  • Follow-Ups:
    • Re: Panther and Firewall API?
      • From: "Peter Sichel" <email@hidden>
    • Re: Panther and Firewall API?
      • From: Joshua Graessley <email@hidden>
    • Re: Panther and Firewall API?
      • From: Allan Nathanson <email@hidden>
  • Prev by Date: Re: identifying AppleShare mounts
  • Next by Date: Re: Panther and Firewall API?
  • Previous by thread: Re: identifying AppleShare mounts
  • Next by thread: Re: Panther and Firewall API?
  • Index(es):
    • Date
    • Thread