While it is true a properly configured iptables firewall will provide good security, it does not address the issue of applications such as Instant Messaging from tunneling outbound through port 80. Correct me if I am wrong, but IPtables does not provide content inspection to guarantee all traffic on port 80 is HTTP. In fact even if it did, I have seen applications which use HTTP (headers) to communicate with servers on port 80 capable of bypassing most proxy servers. Not to mention all the freshly installed programs which try to force you to auto-register online. Unfortunately I do not have a good suggestion for this gentleman, except to say I understand the dilemma he is trying to mitigate against.
Ken -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jay Christopherson Sent: Monday, March 11, 2002 7:08 PM To: Glenn Shiffer Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Seeking personal firewall for Mac OS X Not being familiar with ipfw, but assuming it is similar to iptables or ipchains, wouldn't you be able to tell ipfw "that you Internet Browser is allowed to talk to the Internet, but your mail client is not"? You can just default deny all traffic and specifically allow port 80 or port 443. You could even write a small (a couple lines at best) script that would parse the ipfw logs and alert you when someone trys to access something you don't want them to access... there are even tools out there that can do that already and I bet a lot of them will run on OS X (based on BSD right?)... I understand what you are saying about specifying applications, but you can get the same effect with iptables (and presumably ipfw) by monitoring and specifying access ports (110 for pop, 25 for smtp, 23 for telnet, etc...) I've used ZoneAlarm on Windows, and I am not too impressed versus a properly setup iptables firewall. Of course, this is all based on my assumption that ipfw has similar functionality to iptables. If not, feel free to flog me publicly. I don't know if any of this actually helps you; I was just airing opinions to see what others think... - Jay Thus spake Glenn Shiffer ([EMAIL PROTECTED]): > Net Barrier is the closest thing I can think of. > > http://www.intego.com > > HTH, > > Glenn > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Rosenberg > Sent: Monday, March 11, 2002 9:58 AM > To: [EMAIL PROTECTED] > Subject: Seeking personal firewall for Mac OS X > > I am used to using ZoneAlarm *behind* a network firewall to protect > BillWare desktops. > ZoneAlarm allows setting policies at the *APPLICATION* level, which a > typical network > firewall won't. E.g. I can tell ZoneAlarm that my web browser is > allowed to talk to > the Internet, but my mail client is not. (My mail client needs only to > talk to my > local mail servers on the LAN behind the network firewall.) > > I'm now looking for this kind of functionality on Mac OS X, and not > finding anything > out there. There are several products that describe themselves as > "personal firewalls" > for OS X, but the kind of policies they allow you to set are just like > those of a > network firewall: smart about ports, protocols, sources, destinations, > etc., > completely dumb about applications. > > I really like the idea that if some application decides to phone home on > port 80 that I > haven't said is OK an alert box will pop up to let me decide if I want > to allow this or > not. > > Does anyone know of any application level firewall products for OS X > comparable to > ZoneAlarm? As far as basic packet filtering goes, OS X already comes > with ipfw, you > don't really need to buy anything. > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
