Skip navigation

How can I filter domain access in the firewall?

3223 Views 5 Replies Latest reply: Apr 13, 2013 7:12 AM by g_wolfman RSS
zunguri Calculating status...
Currently Being Moderated
Apr 12, 2013 3:24 PM

My goal:  Block traffic going to and coming from a named domain. 

 

If I'm working with a regular border firewall it is easy to write rules to do this, but I don't see a way to do it on a Mac using the built-in firewall. 

 

My current solution for the outbound side is to run a local DNS server that "resolves" any blacklisted domains to a dead-end address.  This takes care of any outbound ad requests, etc., but does nothing to help me filter incoming content.

 

Short of replacing the built-in FW with something of higher functionality, how do other people do this?

  • Linc Davis Level 10 Level 10 (107,660 points)
    Currently Being Moderated
    Apr 12, 2013 5:19 PM (in response to zunguri)

    If by the "built-in firewall" you mean either ipfw or pf, depending on the system version, then either one is certainly capable of filtering packets by the IP address of the source or destination, but not by the domain name. To preempt name resolution by host, you can add entries to the hosts file.

  • g_wolfman Level 4 Level 4 (1,110 points)
    Currently Being Moderated
    Apr 12, 2013 7:18 PM (in response to zunguri)

    If using pf, you may be able to use fully qualified doamin name for either the source address or destination address portions of a rule.  The FQDN would be resolved via DNS and the IP address substituted in place when the rule is loaded.

     

    I say may because OS X uses a pre-OpenBSD 4.7 version of pf...I believe the functionality is present in the OS X version but cannot confirm it with certainty.

     

    http://www.openbsd.org/faq/pf/filter.html

  • Linc Davis Level 10 Level 10 (107,660 points)
    Currently Being Moderated
    Apr 12, 2013 7:33 PM (in response to g_wolfman)

    You're right. It's in the pf.conf(5) man page.

  • g_wolfman Level 4 Level 4 (1,110 points)
    Currently Being Moderated
    Apr 13, 2013 7:12 AM (in response to zunguri)

    You don't want a packet-filter firewall.  Packet filtering firewalls like pf, IPFW and IP-Tables all work at the Network Layer (Layer 4) and below and perform inspections of individual packets.  Domain names are not part of a packet, which is why DNS exists - to map domain names to IP addresses.

     

    You need a service that works at the Application Layer (Layer 7), most likely a proxy, given the use-case you've described.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.