How can I filter domain access in the firewall?

Question

Level 1

5 points

How can I filter domain access in the firewall?

My goal: Block traffic going to and coming from a named domain.

If I'm working with a regular border firewall it is easy to write rules to do this, but I don't see a way to do it on a Mac using the built-in firewall.

My current solution for the outbound side is to run a local DNS server that "resolves" any blacklisted domains to a dead-end address. This takes care of any outbound ad requests, etc., but does nothing to help me filter incoming content.

Short of replacing the built-in FW with something of higher functionality, how do other people do this?

Posted on Apr 12, 2013 3:24 PM

Reply

Answer 1

Linc Davis

Level 10

209,547 points

Apr 12, 2013 5:19 PM in response to zunguri

If by the "built-in firewall" you mean either ipfw or pf, depending on the system version, then either one is certainly capable of filtering packets by the IP address of the source or destination, but not by the domain name. To preempt name resolution by host, you can add entries to the hosts file.

Reply

Answer 2

g_wolfman

Level 4

1,137 points

Apr 12, 2013 7:18 PM in response to zunguri

If using pf, you may be able to use fully qualified doamin name for either the source address or destination address portions of a rule. The FQDN would be resolved via DNS and the IP address substituted in place when the rule is loaded.

I say may because OS X uses a pre-OpenBSD 4.7 version of pf...I believe the functionality is present in the OS X version but cannot confirm it with certainty.

http://www.openbsd.org/faq/pf/filter.html

Reply

Answer 3

Linc Davis

Level 10

209,547 points

Apr 12, 2013 7:33 PM in response to g_wolfman

You're right. It's in the pf.conf(5) man page.

Reply

Answer 4

zunguri Author

Level 1

5 points

Apr 12, 2013 7:57 PM in response to zunguri

FQDN's or IP's are not particularly useful as they are so limited. I am already using an on-board DNS to avoid catch any domain reference. Thanks for the suggestions though.

If you know of any good fw's for OS X with more advanced content filtering capabilities, I'd appreciate a pointer.

Reply

Answer 5

g_wolfman

Level 4

1,137 points

Apr 13, 2013 7:12 AM in response to zunguri

You don't want a packet-filter firewall. Packet filtering firewalls like pf, IPFW and IP-Tables all work at the Network Layer (Layer 4) and below and perform inspections of individual packets. Domain names are not part of a packet, which is why DNS exists - to map domain names to IP addresses.

You need a service that works at the Application Layer (Layer 7), most likely a proxy, given the use-case you've described.

Reply