WingNews logo WingNews
top | item 37500101

(no title)

paws | 2 years ago

The more macOS seems to break user control of networking, the more I wonder what kind of "separate box" solutions are out there that can intermediate _outgoing_ traffic. e.g. Something like LittleSnitch on a router, where it notifies the Mac when it detects a new outgoing connection.

Do things e.g. pfSense support that already? "Hold" an outgoing connection from the moment the SYN is observed, notify whatever client, and only allow if the user clicks?

discuss

order

smashed|2 years ago

> Do things e.g. pfSense support that already? "Hold" an outgoing connection from the moment the SYN is observed, notify whatever client, and only allow if the user clicks?

Not that I am aware of.

This is a desktop centric workflow where the user can react live to an application that is sending traffic.

Your typical network firewall will apply a set of static rules and the decision to log/reject/drop is done ASAP. Waiting for user input is impossible.

Some systems can show logs of recent blocked traffic, and allow an admin to quickly generate an exception/allow rule for blocked traffic but that's pretty much it.

jerf|2 years ago

With some work you could integrate the two; create an external box paired with an app on your source machine. When the source machine can see more info about the connection it can cooperate to pass it along to the middlebox, and if the middlebox sees something the source system has no idea about, well, that's useful info to annotate the network connection with.

fiddlerwoaroof|2 years ago

Most of the alternatives that aren’t marketed to the consumer immediately have something. I ran openwrt for years and used its firewall to block a bunch of traffic and now I’ve switched to Ubiquiti because of wifi issues.

catiopatio|2 years ago

pf’s `divert-to` can be used to divert packets to a local port; `getsockname()` will return the original destination address, so you can either close the connection, or proxy it in userspace.

Alternatively, you could possibly use a divert(4) socket — coupled with a targeted firewall rule — to divert only the initial SYN packet, and if the connection is to be permitted, re-inject it and allow connection to proceed normally.

OpenBSD supports using divert(4) sockets with pf; unfortunately, FreeBSD divert(4) sockets only work with the older ipfw firewall.

meindnoch|2 years ago

And how would you decide whether an outgoing connection to a random AWS IP is legit or not? You don't know which app is the source.

WirelessGigabit|2 years ago

Actually you do. You request a port on which your process will listen to the result of the call.

bonestamp2|2 years ago

I think the best you can do in pfSense would be to log it and then look at the logs regularly.