Professional Web Applications Themes

Firewall advice needed - Mac Applications & Software

In addition to a dial-up service, I recently added Comcast cable for its speed advantage. With the subscription came a free one-year trial of McAfee's personal firewall. Unfortunately, it is impossible to determine whether it has actually been activated. There's nothing on my machine to indicate its presence, and contacting McAfee involves either a $40 flat fee or a telephone call at $2.95/min that averages 14 min., according to a recorded announcement. So, my question is: what are the firewall products out there that have gained acceptance among users? TIA -- Harry F. Lockwood (Remove HOLE for e-mail reply)...

  1. #1

    Default Firewall advice needed

    In addition to a dial-up service, I recently added Comcast cable for
    its speed advantage. With the subscription came a free one-year trial
    of McAfee's personal firewall. Unfortunately, it is impossible to
    determine whether it has actually been activated. There's nothing on
    my machine to indicate its presence, and contacting McAfee involves
    either a $40 flat fee or a telephone call at $2.95/min that averages 14
    min., according to a recorded announcement.

    So, my question is: what are the firewall products out there that have
    gained acceptance among users? TIA

    --
    Harry F. Lockwood

    (Remove HOLE for e-mail reply)
    Harry Guest

  2. #2

    Default Re: Firewall advice needed

    Have you looked into something like a Linksys cable router/firewall? A
    software based firewall is ok but to really be secure on a cable
    connection I tend to lean towards a hardware base firewall. Less of a
    chance that someone will exploit a hole in the OS and bypass your
    software based firewall, which is only as secure as the OS it's running on.

    John

    Harry F. Lockwood wrote: 

    John Guest

  3. #3

    Default Re: Firewall advice needed

    In article <041020030819212685%com>,
    "Harry F. Lockwood" <com> wrote:
     

    The McAfee's comcast offers must be downloaded and it is PC only.
    Ed Guest

  4. #4

    Default Re: Firewall advice needed

    In article
    <comcast.giganews.com>, Ed
    <com.invalid> wrote:
     
    >
    > The McAfee's comcast offers must be downloaded and it is PC only.[/ref]

    Thanks, Ed. That explains the problem. At least they could have said
    so in the flyer.

    --
    Harry F. Lockwood

    (Remove HOLE for e-mail reply)
    Harry Guest

  5. #5

    Default Re: Firewall advice needed

    In article <net>, John Antrosiglio
    <com> wrote:
     
    >[/ref]
    Thanks for the advice, John; I'll follow up on your suggestion. Right
    now, my temporary hardware "solution" is to disconnect the ethernet
    cable when I'm off line.

    --
    Harry F. Lockwood

    (Remove HOLE for e-mail reply)
    Harry Guest

  6. #6

    Default Re: Firewall advice needed

    On 2003-10-04, Ed <com.invalid> wrote: 
    >
    > The McAfee's comcast offers must be downloaded and it is PC only.[/ref]


    No real loss anyway. OSX has firewall support in the kernel and an
    extremely easy to use preference panel that's more than flexible
    enough for the overwhelming majority of at-home users. No need at
    all for any third-party applications.

    The minority of power users who need more than this should be able to
    configure their firewalls directly, via ipfw. If they can't, they
    probably shouldn't be doing whatever it is that created the neeed for
    more flexibility in the first place. Again, no need for any
    third-party applications.

    Hugh Guest

  7. #7

    Default Re: Firewall advice needed

    In article <PeDfb.405598$ops.asp.att.net>,
    Hugh Wolf <lieder.de> wrote:

     

    In general and in theory I would agree with your statements about who
    would need a firewall to protect their computer and data. There is an
    ever increasing need for the average user to set up a firewall. Over
    the past several months the amount of "ping every address in sight"
    activity has increased greatly and become quite a bother for dial up
    users. The built in firewall will not block outgoing echo replies by
    default. Even when you add a rule to block replies, the incoming pings
    will still cause problems if you want to have your connection timeout
    automatically. I have had to write an AppleScript to monitor outgoing
    activity only and automatically disconnect after the timeout interval I
    set in the script.

    I am doing nothing which would otherwise necessitate using a firewall.
    I just want to be able to start a download, walk away from the computer
    and have my connection timeout after the download is finished.

    On the Apple discussion boards, I have corresponded with at least one
    person in the UK who is consistently getting pinged multiple times per
    minute. They are also getting charged by the minute for either phone or
    net usage.

    Therefore, even the average home user can benefit from using a firewall.
    Unless you use a third part application, you are stuck using the command
    line to add a rule to block the ping replies.

    --
    Matt Broughton
    Only relatives are absolute.
    Matt Guest

  8. #8

    Default Re: Firewall advice needed

    Matt Broughton <com> wrote:
     

    Is this something you can share with the group, or perhaps submit to
    macosxhints?

    --
    net is a heavily-filtered SpamTrap. Email replies may not
    get through. Use cschram instead. <http://www.webenet.net/~schram/>
    C's Attic Sale <http://www.webenet.net/~schram/Chris/sale.html>
    M's Music Sale <http://www.webenet.net/~schram/Martha/Music4Sale.html>
    Chris Guest

  9. #9

    Default Re: Firewall advice needed

    In article <1g2b8fl.1f3zdyj1k0gsdiN%net>,
    net (Chris Schram) wrote:
     
    >
    > Is this something you can share with the group, or perhaps submit to
    > macosxhints?[/ref]

    A "public" version of the script will hopefully be ready by the end of
    the weekend. After I got a script working for myself, I decided it
    might be worthwhile to make it more generic. I want to do some more
    testing before I offer it to others. As you have asked that it might be
    of use to others in this group, I will post back to this forum when it
    is done.

    --
    Matt Broughton
    Only relatives are absolute.
    Matt Guest

  10. #10

    Default Re: Firewall advice needed

    On 2003-10-04, Matt Broughton <com> wrote: 

    I'll have to take your word on that one. This is the first I've
    heard of it, on this or any other newsgroup. But I admit I don't pay
    close attention to dialup-specific issues.

     


    It's certainly true that the the built-in gui doesn't provide any
    means to add blocks for icmp or udp, and the rules it generates will
    never do anything in particular with icmp or udp packets (though they
    may be blocked at the ip level if they use certain bogus addresses).

     

    So it sounds like you're saying that even if you configure the
    firewall manually to block the packets, this still isn't sufficient
    for your purposes. In which case the problem you're worried about
    isn't really about firewalls at all, is it?

    Out of curiosity, is there a reason you can't reject the requests?
    Then there won't be any replies to worry about.




    Hugh Guest

  11. #11

    Default Re: Firewall advice needed

    In article <sgKfb.687482$uu5.112210sccrnsc04>,
    Hugh Wolf <lieder.de> wrote:
     
     
    >
    >
    > It's certainly true that the the built-in gui doesn't provide any
    > means to add blocks for icmp or udp, and the rules it generates will
    > never do anything in particular with icmp or udp packets (though they
    > may be blocked at the ip level if they use certain bogus addresses).
    >[/ref]
    They can easily be blocked by adding the rule
    "sudo ipfw add deny icmp from any to any in via ppp0 icmptype 8"
    When used with the default firewall, setting this to be rule 3001 seems
    to work well.
     
    >
    > So it sounds like you're saying that even if you configure the
    > firewall manually to block the packets, this still isn't sufficient
    > for your purposes. In which case the problem you're worried about
    > isn't really about firewalls at all, is it?[/ref]
    In the literal sense I suppose not. The literal problem is many people
    sending pings to every ip address in a given range. As a practical
    matter, however, I believe it has everything to do with firewalls. Is
    there another way to stop my computer from replying to the incoming
    pings?

     
    May I ask how I would do this? Someone sends a ping request to my local
    IP address. How do I stop it from reaching my modem? Once it reaches
    my modem, it comes through and is counted as traffic whether or not
    there is a reply. Whatever daemon Apple uses to watch for "disconnect
    if idle for x minutes" sees the ping as traffic even when I block the
    reply. Depending on the idle timeout and the frequency of the pings,
    the connection very seldom drops due to being idle for x minutes.

    --
    Matt Broughton
    Only relatives are absolute.
    Matt Guest

  12. #12

    Default Re: Firewall advice needed

    In article <sgKfb.687482$uu5.112210sccrnsc04>,
    Hugh Wolf <lieder.de> wrote:
     
    >
    > I'll have to take your word on that one. This is the first I've
    > heard of it, on this or any other newsgroup. But I admit I don't pay
    > close attention to dialup-specific issues.[/ref]

    I've certainly noticed the fact that connections don't time out if I
    walk away from the computer, and had assumed it was a change in policy
    at my ISP. Live and learn.

    --
    AF
    "Non Sequitur U has a really, really lousy debate team."
    --artyw raises the bar on rec.sport.baseball
    Alice Guest

  13. #13

    Default Re: Firewall advice needed

    On 2003-10-05, Matt Broughton <com> wrote: 

    See below.

     

    Unless you hang up, only the phone company can stop external data from
    reaching your modem. But this has zero to do with firewalls. It's
    purely a telephone issue, no different from the issue of getting
    billed for unsolicited commercial calls made to cell phones.

    If you want to shut down a network interface altogether at a given
    time, there are tools to do that. Firewalls are something else
    entirely. The point of a firewall is to sit _between_ the network
    interface and the rest of the system.

    So again, your claim that the standard firewall tools in osx aren't
    sufficient isn't well grounded. No amount of firewall power will ever
    do what you want, because what you want is not about firewalling in
    the first place. You're choosing the wrong tool for the job.












    Hugh Guest

  14. #14

    Default Re: Firewall advice needed

    In article <1g2b8fl.1f3zdyj1k0gsdiN%net>,
    net (Chris Schram) wrote:
     
    >
    > Is this something you can share with the group, or perhaps submit to
    > macosxhints?[/ref]

    Give the scripts a try if you want. You can get them at:
    <http://my.vbe.com/~mbrought/applescripts>

    These scripts allow the user to change the parameters for timeout,
    maximum session life, and how often to check the connection. By the
    time I added checks to verify for valid parameters from user changes,
    the scripts got to be a bit long to post at places like macosxhints.

    --
    Matt Broughton
    Only relatives are absolute.
    Matt Guest

  15. #15

    Default Re: Firewall advice needed

    In article <zbMfb.497219$Oz4.347166rwcrnsc54>,
    Hugh Wolf <lieder.de> wrote:

     

    May I presume that you are equating the phone company with the ISP.
    Here in the US, many or most dial up connections are made through
    independent ISPs that are not owned or operated by the phone company.
    The phone company's role is to only provide a voice grade quality phone
    line to a customer.

    I would agree that it would be nice if ISPs could or would block some of
    this traffic. The problem, as you well know, is that there are
    legitimate uses for pinging
     

    I was looking for a tool or application that would shut down my ppp
    interface after x minutes of no *outgoing* activity. I posted a query
    to c.s.m.comm and c.s.m.system to that effect. No one responded. If
    you have a particular tool that fits my needs, I am eager to learn of it.



     

    I fully agree with that definition. That is what iipfw is doing. I am
    able to stop the incoming pings from reaching the part of the system
    that normally responds to the ping.

    Perhaps I can rephrase the problem. The mechanism that Apple uses to
    timeout an idle dial up connection after x minutes is monitoring the
    network traffic before it gets to the firewall. I don't claim to know
    enough to say whether this is right, wrong, or just one acceptable way
    to do it. I need a mechanism such as the AppleScripts I wrote to
    monitor the traffic on "my side" of the firewall.
     

    I never said that. I said the built in firewall will not block outgoing
    echo replies by default. I also said that you can add a rule that will
    block incoming pings so that you do not reply to them. That is all I
    said about the built in firewall. I did go on to say that even when you
    deny incoming pings with the firewall, whatever method Apple uses to
    monitor ppp activity to determine whether a dial up connection is idle
    will count the incoming pings as activity. This will prevent an
    automatic disconnect as the user might otherwise expect.
     

    If I am using the wrong tool for the job, it wouldn't be the first time,
    and it won't be the last time. This applies whether I am working with
    computers or not. I will again state that I am eager to learn about the
    correct tool(s).

    In reviewing our exchanges, I don't think we are really in disagreement
    on much of anything. Perhaps I am not communicating my thoughts
    properly because I have been looking for the right tool(s) to meet a
    certain goal. To that end, I tend to intertwine two totally separate
    activities and ideas as though they are one in the same.

    --
    Matt Broughton
    Only relatives are absolute.
    Matt Guest

  16. #16

    Default Re: Firewall advice needed

    On 2003-10-06, Matt Broughton <com> wrote: 

    That's an artifact of the particular approach you're focused on right
    now. The problem you're trying to solve is that the timeout-hangup
    mechanism treats all packets alike, whereas you want it to distinguish
    based on the protocol. A more direct solution would be to watch all
    incoming packets and shut down the connection if no tcp traffic passes
    by for a given amount of time. That's at the core of what you're
    after. You probably can't do this in AppleScript, but you can with,
    for instance, a ruby script and tcpdump.

    The cleanest and most efficient solution would probably be a C program
    using the same underlying packet-watching library that tcpdump uses
    (libpcap). If you have any interest in learning to program, here's an
    excellent opportunity :)

    But if your applescript does what you want it to do, you're already
    done and you don't need a more direct approach.

     

    Right. It's looking at the link layer -- it just wants to detect
    whether or not the ppp interface is active. It doesn't care about the
    contents of the packets, which makes sense to me. The firewall works
    at the ip layer, for all interfaces.

     
    >
    > I never said that.[/ref]

    At the beginning of this thread I claimed that the standard firewall
    tools were sufficient. You disagreed and raised the issue of rogue
    pings as the reason. What I've been trying to explain since then is
    that the problem you raise has nothing to do with firewalling at all.
    The firewall is fine.

    Hugh Guest

  17. #17

    Default Re: Firewall advice needed

    In article <rZdgb.50399$%h1.33032sccrnsc02>,
    Hugh Wolf <lieder.de> wrote:
     
    >
    > That's an artifact of the particular approach you're focused on right
    > now. The problem you're trying to solve is that the timeout-hangup
    > mechanism treats all packets alike, whereas you want it to distinguish
    > based on the protocol. A more direct solution would be to watch all
    > incoming packets and shut down the connection if no tcp traffic passes
    > by for a given amount of time. That's at the core of what you're
    > after. You probably can't do this in AppleScript, but you can with,
    > for instance, a ruby script and tcpdump.[/ref]
    Thank you for that explanation. It helps to understand what you have
    been trying to tell me. While I have gotten to the point I can have
    tcpdump and netstat display some of what I want to see, I am not to the
    point where I can do any shell scripting. That is why I looked at using
    AppleScript.
     
    Always wanting to learn more. I suspect I will never make it to C
    programming. At least I remember enough from one semester of PL1 back
    in the early 70s to pick up some functionality with AppleScript.
     
    Yes, the AppleScripts serve my purpose. A more direct approach would
    still be desirable as I am sure it would use less system resources. 
    >
    > Right. It's looking at the link layer -- it just wants to detect
    > whether or not the ppp interface is active. It doesn't care about the
    > contents of the packets, which makes sense to me. The firewall works
    > at the ip layer, for all interfaces.[/ref]
    Again, thank you for the additinal information. My knowledge of what
    goes on behind the scenes is limited. I know nothing about the link
    layer. It was only about a month ago since I started tracking down the
    source of the unexplained network activity. I've done some reading on
    firewalls as that was the tool someone said would block the unwanted
    traffic. I have since gotten a much better understanding of the
    difference between tcp, icmp, igmp, udp in relation to ip. At least I'm
    making progress. :-))

    Thank you for taking the time to correct me and give me a better
    understanding of what I (and many others) are dealing with.

    --
    Matt Broughton
    Only relatives are absolute.
    Matt Guest

Similar Threads

  1. advice needed
    By Kevin Mark in forum Macromedia Flash Actionscript
    Replies: 25
    Last Post: March 11th, 03:13 AM
  2. comments/advice needed
    By www.Search24-7.com in forum Macromedia Dynamic HTML
    Replies: 0
    Last Post: February 20th, 01:00 AM
  3. firewall needed
    By Cheryl in forum Windows Networking
    Replies: 1
    Last Post: July 2nd, 09:02 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139