OS X firewall - how to make it actually work
in [UK Mac]
|
From: Jim on 21 Jan 2010 09:57 On 2010-01-21, Woody <usenet(a)alienrat.co.uk> wrote: >> > >> > Indeed. I'm off to get something to eat, then there's going to be some >> > savage butchery to this file when I get back. Thank you so much. >> > >> >> I think it goes without saying that you should probably back it up >> first..:-) > > Pah - where is your sense of adventure? Safely backed up at home, thank you. Jim -- http://www.ursaMinorBeta.co.uk http://twitter.com/GreyAreaUK "Get over here. Now. Might be advisable to wear brown trousers and a shirt the colour of blood." Malcolm Tucker, "The Thick of It"
From: Graham J on 21 Jan 2010 10:02 "James Taylor" <usenet(a)oakseed.demon.co.uk.invalid> wrote in message news:7rr0teFrlcU1(a)mid.individual.net... > Graham J wrote: > >> Why not put the Mac on its own LAN segment? Set up an ethernet >> router between it and the rest of the LAN, then none of its >> broadcasts will get out. > > Yes, that's what I will do as a stopgap solution for now, because I really > must make progress with my work on it. But ultimately I want to be able > travel to client premises with it, and not have to worrying that the > hypervisor OS is exposed. Take the router with you to the client premises. OK so it needs another power, and you would have to connect it to the client's LAN by wire. In fact if you put a decent router (Vigor or Cisco) at the clients premises (for internet connection) then you could connect via VPN - so no need to visit at all. Would pay for itself on the first visit it saved! -- Graham J
From: James Taylor on 21 Jan 2010 10:18 Graham J wrote: > Take the router with you to the client premises. OK so it needs another > power, and you would have to connect it to the client's LAN by wire. Not really practical, and I usually need to be on the same LAN segment as the client's machines, so no good being behind a router. > In fact if you put a decent router (Vigor or Cisco) at the clients premises > (for internet connection) then you could connect via VPN - so no need to > visit at all. Hehe, wouldn't that be nice! -- James Taylor
From: James Taylor on 21 Jan 2010 10:31 Richard Tobin wrote: > James Taylor wrote: > >> Apparently, Apple have pre-signed many of the standard OS components to >> allow them access through the firewall without needing explicit rules in >> the firewall or asking for user permission. > > Is netcat such a component? Yes. > I understand the distinction between application and network level > firewalls. But for *outgoing* connections connections controlling it > at the application level seems too tedious: there are hundreds of > commonly used programs that make outgoing connections, but just a few > that accept incoming ones. Well, there aren't *hundreds*, probably only a few tens, and with something like LittleSnitch, for instance, you only need to allow or deny each process the first time it tries, and it remembers this rule and doesn't ask again. It's really not so onerous. > And many of those programs can, by design, connect to anything. For > example, any web browser could be used to send data to an arbitrary > port TCP on an arbitrary server Sure, so with a web browser you'd probably allow it universal port 80 and 443 access with specific (perhaps temporary) overrides for other ports as the need arose. > Are you considering a machine so locked down that it mustn't be able > to run a web browser? In this case, yes, because I'll be running a virtual machine within which I do my general web browsing, and another separate one for online banking, and another one for web application development, and another one for network penetration testing (including web application testing), and so on. > If so, I would have thought a network-level firewall that only > allowed connections to trusted hosts would be a better solution. Sadly, no, because I need full access from the various VM guests while having no access to or from the VM master. This requires an application level firewall that can allow VMware while disallowing all else. -- James Taylor
From: James Taylor on 21 Jan 2010 10:34
Jim wrote: > Woody wrote: > >> Jim wrote: >> >>> James Taylor wrote: >>> >>>> Indeed. I'm off to get something to eat, then there's going to be some >>>> savage butchery to this file when I get back. Thank you so much. >>> >>> I think it goes without saying that you should probably back it up >>> first..:-) It does go without saying. >> Pah - where is your sense of adventure? > > Safely backed up at home, thank you. Hahaha! Hilarious! :-D -- James Taylor |