Ted Leung on the air
Ted Leung on the air: Open Source, Java, Python, and ...
Ted Leung on the air: Open Source, Java, Python, and ...
Sat, 27 Dec 2003
Location specific, interface dependent firewalling
Here's one for the Mac OS X hackers out there: Mac OS X has the nice notion of locations, which allows you to switch groups of network configurations depending on your location. I'm looking for a way to have location specific sets of firewall rules. In addition, I want to have on set of rules for the wired ethernet interface and a separate set of rules for the Airport interface. So far, here's what I've been able to turn up on my own:
[23:25] |
[computers/operating_systems/macosx] |
# |
TB |
F |
G |
5 Comments |
- Setting up firewall rules - gives a sample rule set
- mfw multiple firewall configuration - but isn't location dependent.
- SunShield - a preference pane for the Mac OS X firewall.
Pretty sure it's the System Configuration framework. scutil is the stock commandline tool, I wrote an ObjC wrapper for it here: http://undefined.org/python/SystemConfiguration-0.1.tar.gz
Note that this also includes a PyObjC shim to load the ObjC wrapper.
Posted by Bob Ippolito at Sun Dec 28 06:51:57 2003
Note that this also includes a PyObjC shim to load the ObjC wrapper.
Posted by Bob Ippolito at Sun Dec 28 06:51:57 2003
Definitely System Configuration Framework is how to find out it changed. This is something new. What's not clear to me is how to be notified when the "service" set changes - the headers seem to be more oriented towards specific IP addresses. Maybe SCNetworkReachabilityCreateWithName would provide it? Documentation for this stuff is not very specific - like i wonder what a plugin loaded under configd could do?
Posted by Rick Gordon at Sun Dec 28 23:20:59 2003
Posted by Rick Gordon at Sun Dec 28 23:20:59 2003
actually, after reading the header a little more - the byname thing won't work as i had hoped - its a std network host name. there is a way to specify both local/remote addr, so you could get notified whenever a specific local iface was activated at least. looks like the "real" documentation is in the Darwin source.
Posted by Rick Gordon at Sun Dec 28 23:38:08 2003
Posted by Rick Gordon at Sun Dec 28 23:38:08 2003
Is there any documentation on scutil? Or do I have to get a copy of the Darwin source?
Posted by Ted Leung at Sun Dec 28 23:48:13 2003
Posted by Ted Leung at Sun Dec 28 23:48:13 2003
me again, and i'm done for the night. I did find a MoreSCF library on Apple web site (http://developer.apple.com/samplecode/Sample_Code/Networking/MoreSCF.htm) but while it shows how to do a bunch of things there's nothing in there about the notifications. what little i have found on the subject points to CFRunLoops - a newer, low-level synch mechanism that i normally don't use doing Carbon programming.
Do let me know if you find an easier way to do this!
Posted by Rick Gordon at Sun Dec 28 23:52:33 2003
Do let me know if you find an easier way to do this!
Posted by Rick Gordon at Sun Dec 28 23:52:33 2003
You can subscribe to an RSS feed of the comments for this blog:
Add a comment here:
You can use some HTML tags in the comment text:
To insert a URI, just type it -- no need to write an anchor tag.
Allowable html tags are:
You can also use some Wiki style:
URI => [uri title]
<em> => _emphasized text_
<b> => *bold text*
Ordered list => consecutive lines starting spaces and an asterisk
Add a comment here:
You can use some HTML tags in the comment text:To insert a URI, just type it -- no need to write an anchor tag.
Allowable html tags are:
<a href>, <em>, <i>, <b>, <blockquote>, <br/>, <p>, <code>, <pre>, <cite>, <sub> and <sup>.You can also use some Wiki style:
URI => [uri title]
<em> => _emphasized text_
<b> => *bold text*
Ordered list => consecutive lines starting spaces and an asterisk
![[Valid RSS]](http://www.sauria.com/blog/images/valid-rss.png "Validate my RSS feed"){kind=small}
