Re: Browser filtering
Re: Browser filtering
- Subject: Re: Browser filtering
- From: eveningnick eveningnick <email@hidden>
- Date: Thu, 9 Dec 2010 23:55:51 +0300
Hello, Quinn,
Thanks for the response!
> There are basically three strategies here:
> o socket filter NKE
> o ipfw divert
> o local proxy
>
> Each of these has their pros and cons. The socket filter NKE gives you the most capabilities, but it's by the hardest to program, not least because any mistakes in kernel code brings down the entire machine.
here
http://developer.apple.com/library/mac/#DOCUMENTATION/Darwin/Conceptual/NKEConceptual/about/about.html
there's a statement:
"Loading a kernel extension is handled by the kextload(8) command line
utility, which adds the NKE to the running Mac OS X kernel as part of
the kernel's address space. Eventually, the system will provide
automatic mechanisms for loading extensions. Currently, automatic
loading is possible only for I/O Kit KEXTs and other KEXTs that they
depend on."
does that mean that my application has to install a system-autostart
agent (which will fork-exec the command "kextload mykextname.kext"),
if it wants to have this kext to be started automatically everytime
system boots? Or nowadays the situation has changed, and i could place
this generic NKE into /Library/Extensions, and it will be loaded
automatically?
>
> ipfw divert has some important disadvantages:
>
> o ipfw is a global resource, meaning it's hard for your product to coexist with other products that use ipfw. This is less of an issue now that Apple's firewall doesn't use ipfw.
>...
> o The trip to user space has a performance penalty.
What kind of penalty? Do you know some sources where i could read
about it? Does it influence all the traffic, or only the one which
matches specified rules?
>
> A local proxy is the easiest and safest solution, but it has most of the same drawbacks as ipfw. Plus, as you've noticed, it's quite easy for the user to bypass.
>
I am not sure i understand well the idea of this. I am thinking with
Windows analogies, where a proxy will be used only if it is specified
explicitly in browser's settings. A user can easily remove this
setting, and the "wall" is ruined. Is it like that on OS X, or i could
specify proxy on a system level, not on a browser one?
> Finally, I'm a little confused about your requirements with regards privileges. Installing /any/ software that affects all users on the system will require admin privileges; there's just no way to avoid that. However, if you do a socket filter NKE it's relatively easy to enable or disable the filter on a user by user basis. I can't think of any way to implement a filter like this without requiring admin privileges.
>
What am i trying to achieve - is to let only one specific browser to
be able to surf the net. (i can find out if this is my browser by
scanning "User-Agent: " field in all HTTP GET packets-requests).
Installing software in /Applications will require privileges of admin,
but installing (or just launching) a bundle into /Users/username/..
doesn't. a user (non admin) could just doubleclick the bundle with
another browser, and local proxy's bypassed. Or maybe i dont
understand something.
Thank you
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden