Good point. I don't really have to deal with Instant Messaging type issues, so it never really occured to me.
- Jay Thus spake Claussen, Ken ([EMAIL PROTECTED]): > While it is true a properly configured iptables firewall will provide > good security, it does not address the issue of applications such as > Instant Messaging from tunneling outbound through port 80. Correct me if > I am wrong, but IPtables does not provide content inspection to > guarantee all traffic on port 80 is HTTP. In fact even if it did, I have > seen applications which use HTTP (headers) to communicate with servers > on port 80 capable of bypassing most proxy servers. Not to mention all > the freshly installed programs which try to force you to auto-register > online. Unfortunately I do not have a good suggestion for this > gentleman, except to say I understand the dilemma he is trying to > mitigate against. > > Ken > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Jay Christopherson > Sent: Monday, March 11, 2002 7:08 PM > To: Glenn Shiffer > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Seeking personal firewall for Mac OS X > > Not being familiar with ipfw, but assuming it is similar to iptables or > ipchains, wouldn't you be able to tell ipfw "that you Internet Browser > is > allowed to talk to the Internet, but your mail client is not"? You can > just default deny all traffic and specifically allow port 80 or port > 443. > You could even write a small (a couple lines at best) script that would > parse the ipfw logs and alert you when someone trys to access something > you don't want them to access... there are even tools out there that can > do > that already and I bet a lot of them will run on OS X (based on BSD > right?)... > > I understand what you are saying about specifying applications, but you > can > get the same effect with iptables (and presumably ipfw) by monitoring > and > specifying access ports (110 for pop, 25 for smtp, 23 for telnet, > etc...) > > I've used ZoneAlarm on Windows, and I am not too impressed versus a > properly setup iptables firewall. > > Of course, this is all based on my assumption that ipfw has similar > functionality to iptables. If not, feel free to flog me publicly. > > I don't know if any of this actually helps you; I was just airing > opinions > to see what others think... > > - Jay > > Thus spake Glenn Shiffer ([EMAIL PROTECTED]): > > > Net Barrier is the closest thing I can think of. > > > > http://www.intego.com > > > > HTH, > > > > Glenn > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Rosenberg > > Sent: Monday, March 11, 2002 9:58 AM > > To: [EMAIL PROTECTED] > > Subject: Seeking personal firewall for Mac OS X > > > > I am used to using ZoneAlarm *behind* a network firewall to protect > > BillWare desktops. > > ZoneAlarm allows setting policies at the *APPLICATION* level, which a > > typical network > > firewall won't. E.g. I can tell ZoneAlarm that my web browser is > > allowed to talk to > > the Internet, but my mail client is not. (My mail client needs only > to > > talk to my > > local mail servers on the LAN behind the network firewall.) > > > > I'm now looking for this kind of functionality on Mac OS X, and not > > finding anything > > out there. There are several products that describe themselves as > > "personal firewalls" > > for OS X, but the kind of policies they allow you to set are just like > > those of a > > network firewall: smart about ports, protocols, sources, > destinations, > > etc., > > completely dumb about applications. > > > > I really like the idea that if some application decides to phone home > on > > port 80 that I > > haven't said is OK an alert box will pop up to let me decide if I want > > to allow this or > > not. > > > > Does anyone know of any application level firewall products for OS X > > comparable to > > ZoneAlarm? As far as basic packet filtering goes, OS X already comes > > with ipfw, you > > don't really need to buy anything. > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
