OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: gh0st on November 14, 2016, 09:54:46 am
-
Is there somehow we can achieve this? I donĀ“t want to use Little Snitch on my Mac.
-
The firewall only sees traffic identified by the source IP, destination IP, protocol, source port and destination port (for those protocols that use ports).
Unless the application is uniquely identifiable by those, you cannot block it. OPNsense has no agents on the clients that can tie their traffic to a specific process on the client.
Bart...
-
Blocking by IP destination is often the best approach, granted a good list for the app can be found.
Cheers,
Franco
-
Many bigger companies like Adobe use Akamai, aws & Co. for their servers, so it's almost impossible to block by IP-address. Also any other round-robin-loadbalancer will make this approuch fail as well.
I often have the same problem - but vice versa, i.e. allowing connections to eg. Adobe's licence servers fails, because they change their IP-address a lot and any client will get a different random IP-address it then tries to connect to renew its licence. So 10-80% of all clients start losing their licence because they can't connect to "their" licence server, it's just odd. Nailing down some IPs by adding them to the interal DNS is one approuch, but the IPs just float around, it's annoying.
-
The only solution I have is for Win machines with (GData) personal firewall, there (above the OS-level) you can choose for each application the way to internet (or not).
For some applications (e.g. firewall sig updates) you can allow (!) some IPs to make it work at the perimeter firewall.
In general, in a secure environment I would BLOCK anything by default and start fishing from the firewall log the IPs to allow (or not) for individual apps. There is no perfect way to make this work from the perimeter firewall today. AFAIK Snort has a relatively new feature for application-based rules...