From owner-freebsd-questions@freebsd.org Mon Apr 11 10:36:46 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67ACCB0BE34 for ; Mon, 11 Apr 2016 10:36:46 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0F6C41A39 for ; Mon, 11 Apr 2016 10:36:46 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mail-wm0-x235.google.com with SMTP id n3so98402775wmn.0 for ; Mon, 11 Apr 2016 03:36:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=poJJKKTa98jmx/DYGqFzHezpR4h0U0PeeoyKTrjAiv4=; b=NYelVmF37Jg37vRwDN+jfVF2lklKy6a7Qf0T2GqUbCQfGPmNMSQXO+fwySU46QQcne mPS/s83YPu+10kmM+GeCM7VNkkdO2+u0LnXIGqQRzv1D/XVm1o21UuDWZkA8d1yi10dw UioDQASH41wp61/V8FZYwoxis/iAIRP/K4/E9BbTCaAUFEh6X3FFAcV0NKotdKJQisMb JVpy5zGPUdFb0Q/xS9LFcm1mCYK60dTbLsY5L/vAhEyJObxr01DY43//gsODT6pTKtnB arx55EAqxINVJdrqB8FgwylpTpMLuk28+xwXXDiqYVJApZTa+hJBT4SYzp/nF0xfK+g6 bxIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=poJJKKTa98jmx/DYGqFzHezpR4h0U0PeeoyKTrjAiv4=; b=Oq/sJaTOYsR5JYrXJOx6UUgmPSCpZp9JbNWToNuBJCQkT/hLMzULgzFVp8aFQ9GJBG iih0QHZYoh1/52xnjgF0Z7q1l9ppA4F/0ens50ShAtsA3oTZl5o/bDOSzvCxsK8j4wjq j48+Rh0PPznqEy9HaW2N+cr1hioVdQQFfL05xchj+KWg8ZIKVuMuod3a5D3ec4BCHx1B CORx0qafSg28Ki6XSJ7Z0sgLcW9t0YobR8e576jRahaGK8G1RXaMh94Z4hF/RB1dSupk oesBnfn/4i2ThXFcCWPE/uwoMTbVFYta7Ir6a2Qq2mfUzoN+CHql5tVjHIRG4DiYYdCp gl3A== X-Gm-Message-State: AD7BkJI99681IEzMOTMPs+FC7flr2Luxl1VJKNqzrgovpmuQQ/86v+xEpfoeCRuA0Y7Gf9yr8BwsdvyV0U08jg== MIME-Version: 1.0 X-Received: by 10.28.6.140 with SMTP id 134mr18154889wmg.23.1460371004646; Mon, 11 Apr 2016 03:36:44 -0700 (PDT) Received: by 10.194.42.41 with HTTP; Mon, 11 Apr 2016 03:36:44 -0700 (PDT) In-Reply-To: References: Date: Mon, 11 Apr 2016 12:36:44 +0200 Message-ID: Subject: Re: per-user firewall rules From: Ben Woods To: Alexander Klimov Cc: "freebsd-questions@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2016 10:36:46 -0000 On Monday, 11 April 2016, Alexander Klimov wrote: > I want to make sure that user can only communicate with predefined > host:tcp-port and cannot send network packets to anywhere else > (something like `--uid-owner' in iptables). > > Does any of the firewalls support this? > > -- > Regards, > ASK > IPFW supports the keyword "uid" followed by either the username or user id. Obviously this only works for packets destined for local sockets. See http://man.freebsd.org/ipfw man page for more details. Not sure if PF has a similar feature. Regards, Ben -- -- From: Benjamin Woods woodsb02@gmail.com