Can UDP in block prevent unwanted network activity?
I want to be 100% sure that my machine only connects where and when I want it to. If I use a firewall that blocks all UDP and TCP packets but those that I explicitly allow to pass, can I be 100% sure that my machine does not connect anywhere without my approval?
For example, if I did not know about UDP at all and only specified TCP rules on the firewall, I would still be vulnerable to malware and nasty spyware exploiting UDP packets. So technically speaking, is there any other means/protocols apart from UDP and TCP that can be used to communicate with a computer using wired/wireless network connections? Also, can UDP and TCP packets bypass firewalls?
The question has arisen when I installed Little Snitch on my Mac with OS Mavericks and noted that my machine tries to connect to various Apple and third party servers even though I told it that I did not want any info to be collected and sent. Some of the connections were obviously fine (e.g. ntp time syncs), but others were questionable to say the least. I know that hard/software manufacturers potentially can embed backdoors and snitches and so I am trying to figure out how feasible it is in theory (and practice) to have reliable/robust "border control" on my machine.
You said "I want to be 100% sure that my machine only connects where and when I want it to", but do you have a strategy for covering what is sent? UDP in block is always a good idea, but to browse the web you'd want to be able to connect out on port 80, and at that point malware has a way to communicate out. You realise this, so you block all IP address destinations too except ones that you allow; great, that should do it. You like stackexchange and want to post there, so you open up to the SE servers, and you probably want Google and some others. At this point you are already vulnerable because malware could send data from your machine to an account on stackexchange, google, or elsewhere by logging in to a specific account and storing base64'd encrypted data in the account profile for later extracting. Having content filtering might work, but it could be hard to configure. Of course you'll be on the lookout for your firewall alerting to transfers at a time you didn't expect, but smart malware could wait until it sees you sending or receiving data from stackexchange, for example, and send data at the same time to appear to be part of your traffic. Would you then notice the extra connection and traffic, or just assume that it was your browser opening up more than one connection, which it will tend to do anyway? I've deliberately painted a bleak picture that while improbable, is entirely possible, and so the answer to your question has to be a "No". The only sure fire safe thing is never to connect it to the Internet.