Re: Browser filtering
Re: Browser filtering
- Subject: Re: Browser filtering
- From: "Quinn \"The Eskimo!\"" <email@hidden>
- Date: Thu, 9 Dec 2010 11:12:53 +0000
On 8 Dec 2010, at 21:24, eveningnick eveningnick wrote:
> I have a task to write a networking filter [...]
There are basically three strategies here:
o socket filter NKE
o ipfw divert
o local proxy
Each of these has their pros and cons. The socket filter NKE gives you the most capabilities, but it's by the hardest to program, not least because any mistakes in kernel code brings down the entire machine.
ipfw divert has some important disadvantages:
o ipfw is a global resource, meaning it's hard for your product to coexist with other products that use ipfw. This is less of an issue now that Apple's firewall doesn't use ipfw.
o ipfw lets you see each outgoing connection, but you don't get to see which process initiated that connection. This means that some tasks just aren't possible.
o The trip to user space has a performance penalty.
A local proxy is the easiest and safest solution, but it has most of the same drawbacks as ipfw. Plus, as you've noticed, it's quite easy for the user to bypass.
Finally, I'm a little confused about your requirements with regards privileges. Installing /any/ software that affects all users on the system will require admin privileges; there's just no way to avoid that. However, if you do a socket filter NKE it's relatively easy to enable or disable the filter on a user by user basis. I can't think of any way to implement a filter like this without requiring admin privileges.
S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden