From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 18 18:42:49 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 7070016A404
	for <freebsd-questions@freebsd.org>;
	Wed, 18 Apr 2007 18:42:49 +0000 (UTC)
	(envelope-from wmoran@potentialtech.com)
Received: from mail.potentialtech.com (internet.potentialtech.com
	[66.167.251.6])
	by mx1.freebsd.org (Postfix) with ESMTP id 4404B13C448
	for <freebsd-questions@freebsd.org>;
	Wed, 18 Apr 2007 18:42:49 +0000 (UTC)
	(envelope-from wmoran@potentialtech.com)
Received: from vanquish.pgh.priv.collaborativefusion.com
	(pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.potentialtech.com (Postfix) with ESMTP id 1EB4BEBC78;
	Wed, 18 Apr 2007 14:42:48 -0400 (EDT)
Date: Wed, 18 Apr 2007 14:42:46 -0400
From: Bill Moran <wmoran@potentialtech.com>
To: Kevin Hunter <hunteke@earlham.edu>
Message-Id: <20070418144246.bab7d6d5.wmoran@potentialtech.com>
In-Reply-To: <669BB85F-59F2-4DDE-ADAA-0111A0E85967@earlham.edu>
References: <669BB85F-59F2-4DDE-ADAA-0111A0E85967@earlham.edu>
X-Mailer: Sylpheed 2.3.1 (GTK+ 2.10.11; i386-portbld-freebsd6.1)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: program/binary ip filtering
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2007 18:42:49 -0000

In response to Kevin Hunter <hunteke@earlham.edu>:
> 
> This may not be the correct list to ask this question, so please  
> point me in the right direction in that case.
> 
> We are in the process of setting up a bastion host.  One of the  
> things we'd like to do is to filter packets not only at the ip layer,  
> but by what program is listening on a particular port.  Is this a  
> possibility?
> 
> A quick 5 minute Google didn't provide me with anything noticeable,  
> but that my just be my noobness in the *BSD world.  So play nice!  ;-)

Are you saying that you want to have the packet filter check to see what
application is listening on a particular port, then allow/deny access
based on the name of the application?

Do you not have control over what is run on this system?

However, you might be able to accomplish this by using a pf table, then
having a secondary script update the table based on the output of
sockstat or some other similar hack.

-- 
Bill Moran
http://www.potentialtech.com