5 Replies Latest reply: Apr 13, 2013 7:12 AM by g_wolfman
zunguri Level 1 (0 points)

My goal:  Block traffic going to and coming from a named domain. 


If I'm working with a regular border firewall it is easy to write rules to do this, but I don't see a way to do it on a Mac using the built-in firewall. 


My current solution for the outbound side is to run a local DNS server that "resolves" any blacklisted domains to a dead-end address.  This takes care of any outbound ad requests, etc., but does nothing to help me filter incoming content.


Short of replacing the built-in FW with something of higher functionality, how do other people do this?

  • Linc Davis Level 10 (192,151 points)

    If by the "built-in firewall" you mean either ipfw or pf, depending on the system version, then either one is certainly capable of filtering packets by the IP address of the source or destination, but not by the domain name. To preempt name resolution by host, you can add entries to the hosts file.

  • g_wolfman Level 4 (1,120 points)

    If using pf, you may be able to use fully qualified doamin name for either the source address or destination address portions of a rule.  The FQDN would be resolved via DNS and the IP address substituted in place when the rule is loaded.


    I say may because OS X uses a pre-OpenBSD 4.7 version of pf...I believe the functionality is present in the OS X version but cannot confirm it with certainty.



  • Linc Davis Level 10 (192,151 points)

    You're right. It's in the pf.conf(5) man page.

  • zunguri Level 1 (0 points)

    FQDN's or IP's are not particularly useful as they are so limited.  I am already using an on-board DNS to avoid catch any domain reference.  Thanks for the suggestions though.


    If you know of any good fw's for OS X with more advanced content filtering capabilities, I'd appreciate a pointer.

  • g_wolfman Level 4 (1,120 points)

    You don't want a packet-filter firewall.  Packet filtering firewalls like pf, IPFW and IP-Tables all work at the Network Layer (Layer 4) and below and perform inspections of individual packets.  Domain names are not part of a packet, which is why DNS exists - to map domain names to IP addresses.


    You need a service that works at the Application Layer (Layer 7), most likely a proxy, given the use-case you've described.