How to use wifi only for handoff

continuityfirewallNetworkSecuritywifi

Ok OSX wizards…

I have a dilemma. In order to use handoff/continuity at work I need to connect my Mac and iPad/iPhone to the same wifi network. Moreover, I also need to be connected to the separate office ethernet LAN to get my job done.

We keep the networks separate for security purposes. I don't want to make my mac the way the wifi network can be used to gain access to the internal ethernet network.

It works when I'm connected to both. But all my Mac's remote services are exposed on the wifi network. No good docs on advanced firewall config. I have no idea how the built-in firewalling interacts with PF. Do I even want to go digging in the depths of PF? Can this be done securely without massive headache? Is there a better way?

Best Answer

This is quite easy.

Open wireless networking and remove the password for any/all networks you don't want to join and then toggle the Wi-Fi off and wait a dozen seconds or so before turning it on again.

The Wireless radio will be on and ready for handoff or AirDrop but not joined to any network/SSID. The computer will work fine with wired ethernet and a Wi-Fi radio on but not associated with any network that's in range.

netbios

You could block the netbios connections with Little Snitch. These connections are connections attempt most usually coming from Windows sharing the same Wi-Fi network and testing which share and printers are available on your computer. This protocol behaves like a guy entering a new building and testing all door knobs, when the door opens he asks: What's your name? What do you share? Do you print? This protocol is stupid, and dangerous, but most notably for Windows. This protocol is the leading vector of malware broadcast inside LAN of companies using Windows since more than 20 years (toward the floppies era). This protocol is responsible of the largest security damages within big companies.

netbios is a security threat.

On all my Mac I tear off this service (netbiosd), during the post installation procedure (see: …to disable WINS in Network settings, working on 10.7, 10.8, 10.9).

mDNSResponder

You couldn't and shouldn't block the mDNSResponder because you would break the normal working of the DNS on your Mac. I.e. you won't be able to find the IP address of www.microsoft.com.

mDNSREsponder isn't a security threat (today).

Firewall setting

Your method to block connection through the MacOS X firewall is the correct and safe one within any aggresive environment.

MacBook – New 2013 MacBook Air connects to routers everywhere but home, older MacBooks connect fine

Ok so, there is an option to manually connect to your Router/LAN. Open up Terminal.app and type in (or copy and paste) these commands.

Turn on said MBA's Wi-Fi:

networksetup -setairportpower en0 on

List all available networks:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport scan

(Note: If you already know how to turn on your MBA's Wi-Fi and list all networks using Terminal commands, you can skip step 1 and step 2)

Now we can finally attempt to manually connect to Wi-Fi:

networksetup -setairportnetwork en0 [Wi-Fi SSID] [Wi-Fi Password]

Best Answer

Related Solutions

What are the numerous incoming connections I see on public wifi for

netbios

mDNSResponder

Firewall setting

MacBook – New 2013 MacBook Air connects to routers everywhere but home, older MacBooks connect fine

Related Question