# blocking traffic to specific IP address



## stuthemonkey (Feb 2, 2012)

I'm trying to determine the best way to block traffic from my mac to a specific IP address on my internal network.

From what I can tell I could potentially setup something in IPFW to block all outbound traffic to a specific ip address on the mac.  Or I could try to setup an ACL on my switch to block the communication.  However I can't find enough information on either one to know for sure if either will work for what I need.

I need to make sure that the mac will not be able to communicate on any port with a specific ip address.  including UDP broadcasts that the mac does.  Can someone help point me in the right direction as to which solution to use, if either of those will work.  and if they won't does anyone have other ideas?

Both the mac, and the other device have static ip addresses, so I don't have to worry about ips changing on me at all.

Thanks for any help you can give.


----------



## Satcomer (Feb 2, 2012)

1. Using your router

2. System Preferences->Accounts, Parental Controls.

3. OpenDNS (see their Instructional video on how to do this).

4. Firewalls - internal or the free/donationwares NoobProof/WaterRoof.

This is the ones I think of right off the top of my head. Hope this helps.


----------



## stuthemonkey (Feb 3, 2012)

Thank you for the reply.  

1: I have not seen anywhere in my router the ability to block communication internally between devices.  maybe my router isn't high end enough to do that, or i'm just not reading its options for what they truely are.

2: Parental Controls only work for specific user accounts, and not for the administrator account.  However the blocking I need is complete for the computer, not just specific users.  

3: Not sure why I would want to use Open DNS.  it seems that would block communication between my computer and external ip's.  Maybe I'm just misunderstanding what you want me to do with OpenDNS, please let me know what you had in mind.

4: Lastly firewalls.  Thats why my original post asked about IPFW, as its the built in firewall to OS X.  However I'm not sure how/what to configure in it.  I assume I need to create a deny statement somehow but I have never used ipfw to know for sure how to configure it. and from what I can tell its only command line, and if you make changes upon a reboot those changes are gone.  I have seen mention to a couple front ends to ipfw, but nothing that really says if it can do what I want and how to do it.

Thanks again for the help.


----------



## Satcomer (Feb 3, 2012)

Well here are some answers:

3. With OpenDNS you can make a free account and block certain kinds of web sites (like porn, trojan hosting, etc.). I do this and it works great and even made my surfing just a little faster.   They have DNS server sites all of the world now too. Besides with OpenDNS you control your own DNS and not any ISP that barely pays attention to their DNS servers (most ISP just use DNS relays from headquarters). So if you open an OpenDNS account and put their DNS servers (that YOU control with that account). Most kids have no clue what DNS means so hiding the knowledge of your OpenDNS account and putting those servers in the Mac you want, you have the blocks.

4. WaterRoof and NoobProof are GUI programs to control the built-in ipfw. This way you don't have to be a command line jockey to use that built-in robust firewall.


----------



## stuthemonkey (Feb 3, 2012)

Thanks for the reply again.  I will look into waterRoof and noobProof to see how those work.


----------



## stuthemonkey (Feb 3, 2012)

sorry for yet another post, but I must still be missing something.

I have installed waterroof.  I have added in a couple test rules.  
deny all from me to 192.168.0.100 (test computer)  and I can no longer ping that computer.  so that rules seems to work.

I then added a deny all from me to 192.168.0.85.  However this one does not fix my issue.  

My issue is that the computer (me in settings above) sends out a global UDP broadcast that if the device at 192.168.0.85 hears it, it crashes.  I figured if I blocked all communications between "me" and .85 85 would not hear the broadcast. However that does not seem to be the case.

Does it make sense that this setting is not blocking the UDP broadcast to that IP address?  if it does, then what other settings will I need to add to block this correctly?

Thanks again


----------



## tratata (Nov 14, 2014)

When you sent broadcast udp it contains special broadcast IP address. And you router then repeat it to all device in the network. If you want to block packets from your computer to 192.168.0.85 you have to add blocking rule on that machine.


----------



## quanghanhsurio (Jul 21, 2016)

chang ip vs Dns


----------

