Skip to main content

I have a need to block a specific outgoing port to any host (port 3268, msft-gc, the Microsoft Global Catalog). The native AD plugin on OS X is frankly broken at the moment, causing opendirectoryd to query every member of every AD group/DL the user is in, which is substantial at our company. Whenever I plug into the corporate network, this querying takes place to the tune of 50MB of data and 300,000+ query results from our Global Catalog. It causes problems with our Global Catalog as well as triggering client lockups. Wifi dropped for a second? It happens all over again.



I've found that blocking port 3268 outbound solves the issue for us and doesn't seem to impact anything important on the client. I've been testing with Little Snitch, but is there a free and native way to block an outgoing port on OS X that anyone is aware of? Or maybe a better option than Little Snitch?

Not knowing anything about your environment (as far as networking is concerned), are you able to simply block that port access via the firewall on selected VLAN's? This is me assuming all of your machines of this type may indeed be on separate VLAN's. If you are running a mixed environment, I have only used Little Snitch myself for local client handling.

As of 10.8 and above you can edit the pf.conf file. I would only do this if you don't have a network firewall in place. You can if need be block from the client side on OSX by editing the above file. OSX has a built in "pfctl" command from terminal. So in your case you could add the following rule and enable the pfctl.



(sudo pfctl -sr 2>/dev/null; echo "block drop quick on en0 proto tcp from any to any port = 3268") | sudo pfctl -f - 2>/dev/null


You would have to change en0 to what every interface you want it blocked on, otherwise I believe (never tested) you can use "! lo0" to block any connections not from loopback.



sudo pfctl -s rules


Will show what rules are in place and a 



sudo pfctl -e


will enable the rules.



http://nomoa.com/bsd/gateway/pf/valid/pfctl.html has a great run through of the whys and how.



or a "man pfctl" form terminal will pull up Apple's man page.



I have never really used this in production just for testing when I ran crossed the command on StackExchange. I can confirm it works, as I tested on a site going specifically to 8080.



StackExchange link http://superuser.com/questions/505128/deny-access-to-a-port-from-localhost-on-osx

Thanks @tron_jones, that is pretty much what I was looking for, we'll do some testing and see if it's a workable solution.

Reply


Terms & ConditionsCookie settings