I have the remote login feature enabled on one of my Minis so I can manage it from another Mini on my LAN - but I don’t need to be able to remote login from the Internet.
Looking for a recommendation for firewall software (easy to use is a bonus) where I can basically tell my Mini “if a remote login request is coming from a 10.x.x.x address, allow it, otherwise deny it”.
It doesn’t seem that Apple’s built-in firewall is anything close to what I need. Any recommendations?
I’ve heard some spooky-ish stuff a decade or so ago about people being able to bypass that sort of thing. I’m sure that would probably require somebody to hack the router, but between the security on the router and security on the Mac, I trust the Mac more.
I had written a pretty long response, telling that the Linux on your router is probably better suited than some third-party app on your Mac. But that felt a bit useless. If you only trust Apple on these matters, it’s - like I said - all up to you. But do know that 99,9999999% of the internet is not running on Apple software when it comes to security.
This company went and put a pretty decent wrapper on a bunch of open source and free services; good for them. But, If you go and pay for this device thinking it’s going to solve this use case you’re going to be extremely disappointed. It won’t…
I agree that Linux, as an OS, is probably suited as well or better than an app on my Mac. The question though is one of whether the people who built the router have designed the system well or not - and the answer to that, all too commonly, seems to be “no”. And of course there’s all the smart-home stuff that lives behind routers and could potentially create a problem of its own, if I ever decide to go down that route.
Basically, for me this isn’t an issue of Apple vs. non-Apple - this is an issue of “security on the machine itself” vs. “trusting a random third-party device to solve the problem for me”.
And they’re complementary in my view, not either/or.
Good point. Let’s not forget that OS X is based on BSD. A large percentage of internet infrastructure is (some moving towards Linux) based on BSD. You still have a great deal of control to harden OS X in the terminal. Still think this is the best bet for this use case.
I can definitely do the launchd thing. Since I’m already going full command line on this problem I’ll probably also add a quick monitor script that checks it every 10 minutes and launches it if there’s an issue.
Sometimes with this fiddly stuff I like the convenience of a third-party app that just handles things. As an unrelated example, I’ve done FFMPEG code for some audio/video conversions, but there are definitely times where I appreciate software like Handbrake with its drag & drop interfaces with nice menus.
I know I’m probably an edge case, but I just had a huge insurance survey as part of a disclosures process where they were asking me thirty billion questions about my security setup - so it’s got me in a more-elevated-than-normal security mindset.