Need A Firewall Recommendation For Locking Down Remote Login

I love little snitch. You can set it to deny or approve different options. Although I’m not sure how this would exactly work. I’m sure that it could do it though.

I much prefer using a router for this purpose. I like Little Snitch and it may work for you, but I use it primarily to stop unwanted outbound connections for badly behaved websites

2 Likes

It’s all up to you of course.

I had written a pretty long response, telling that the Linux on your router is probably better suited than some third-party app on your Mac. But that felt a bit useless. If you only trust Apple on these matters, it’s - like I said - all up to you. But do know that 99,9999999% of the internet is not running on Apple software when it comes to security.

Just my $0.02.

1 Like

That’s a good point.

For what you’re doing it might be easiest to do it in terminal via the BSD based packet filter. You would first write a rule to deny then permit the service/subnet you want.

I was going to suggest that, but then I looked up the process that people are having to go through to make the rules persistent between reboots and updates, and backed away very slowly :laughing:

Yep. I didn’t seen anything about reboots when I looked, but definitely an issue with upgrades. Will look into this more. Now I’m curious…

I’m not 100% certain on the reboot issue: I skimmed an article or three, paired what I was reading with “… easy to use is a bonus…” and decided that pf for macOS probably wasn’t it :slight_smile:

Now I’m curious too…

I suggest adding a Firewalla Blue to your network. I’ve had the Blue running for over six months. Very useful info and network controls.

1 Like

This company went and put a pretty decent wrapper on a bunch of open source and free services; good for them. But, If you go and pay for this device thinking it’s going to solve this use case you’re going to be extremely disappointed. It won’t…

1 Like

Well, it’s a bonus, not a requirement. :slight_smile: PF isn’t off the table as an option here.

1 Like

I agree that Linux, as an OS, is probably suited as well or better than an app on my Mac. The question though is one of whether the people who built the router have designed the system well or not - and the answer to that, all too commonly, seems to be “no”. And of course there’s all the smart-home stuff that lives behind routers and could potentially create a problem of its own, if I ever decide to go down that route.

Basically, for me this isn’t an issue of Apple vs. non-Apple - this is an issue of “security on the machine itself” vs. “trusting a random third-party device to solve the problem for me”.

And they’re complementary in my view, not either/or. :slight_smile:

Good point. Let’s not forget that OS X is based on BSD. A large percentage of internet infrastructure is (some moving towards Linux) based on BSD. You still have a great deal of control to harden OS X in the terminal. Still think this is the best bet for this use case.

At this point I think I’m going to start playing with PF. Is that the route you’re thinking you’d go as well?

Yes. Simply because it’s free and you can create two rules that solve your problem. @ACautionaryTale was right. Some of the settings aren’t retained after reboot. Found a good reference here.

“ Additionally, you must re-enable PF ( pfctl -E ) each time your Mac reboots; ideally, you should create a launchd job for this (see Pfctl launch daemon does not seem to process program arguments).”

May or may not suit your needs. Since this doesn’t seem overly critical (assumption on my part) I’d just as soon go the free route if I learn something in the process. :smiley:

1 Like

I can definitely do the launchd thing. Since I’m already going full command line on this problem I’ll probably also add a quick monitor script that checks it every 10 minutes and launches it if there’s an issue.

Sometimes with this fiddly stuff I like the convenience of a third-party app that just handles things. As an unrelated example, I’ve done FFMPEG code for some audio/video conversions, but there are definitely times where I appreciate software like Handbrake with its drag & drop interfaces with nice menus.

I know I’m probably an edge case, but I just had a huge insurance survey as part of a disclosures process where they were asking me thirty billion questions about my security setup - so it’s got me in a more-elevated-than-normal security mindset. :slight_smile:

1 Like

If you call 0,4% a large percentage you’re right. In my book that’s next to nothing.

I said internet infrastructure. Didn’t say World Wide Web. Wasn’t trying to one up you with my comment. Thanks for the stat, but my point remains the same and is still 100% accurate.

1 Like

I noticed the word infrastructure. But even then. In the - admittedly long - list of BSD derivatives I could only identify Junos OS (for Juniper routers) as being something of (significant) importance. Cisco’s IOS seems to be proprietary, or at least not based on BSD. So my honest question remains what infrastructure runs on BSD? I couldn’t find any data on that. But now I’m curious.

Wait; so proprietary software can’t have its foundation in open source? Most if not all OEM appliances for routing or switching, ANY type of security for that matter leverages some form of *nix kernel. Cisco IOS, Junos, and others all have origins based on BSD. IOS XE is now has a Linux based foundation, but I’m not sure if that’s running on core routers outside of the ASR line and is much newer. For years, the best firewalls were all deployed on OpenBSD. Much of the early voice/data switching networks of the early internet were based on BSD, and are still running flavors of BSD. OpenBSD is still arguably the most secure OS that’s widely deployed. Keep in mind, companies don’t necessarily like to publish this information, but if you look, it’s there.