From owner-freebsd-questions@FreeBSD.ORG  Thu Feb  9 17:23:11 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 104FC16A420
	for <freebsd-questions@freebsd.org>;
	Thu,  9 Feb 2006 17:23:11 +0000 (GMT)
	(envelope-from mail@ozzmosis.com)
Received: from smtp2.syd.swiftdsl.com.au (smtp2.syd.swiftdsl.com.au
	[218.214.225.98])
	by mx1.FreeBSD.org (Postfix) with SMTP id 4B34443D64
	for <freebsd-questions@freebsd.org>;
	Thu,  9 Feb 2006 17:23:06 +0000 (GMT)
	(envelope-from mail@ozzmosis.com)
Received: (qmail 9734 invoked from network); 9 Feb 2006 17:23:28 -0000
Received: from unknown (HELO blizzard.dancer) (218.214.144.129)
	by smtp2.syd.swiftdsl.com.au with SMTP; 9 Feb 2006 17:23:28 -0000
Received: from blizzard.dancer (ozzmosis@localhost [127.0.0.1])
	by blizzard.dancer (8.12.11/8.12.11) with ESMTP id k19HN3EH047136
	for <freebsd-questions@freebsd.org>;
	Fri, 10 Feb 2006 04:23:03 +1100 (EST)
	(envelope-from mail@ozzmosis.com)
Received: (from ozzmosis@localhost)
	by blizzard.dancer (8.12.11/8.12.11/Submit) id k19HN35Z047135
	for freebsd-questions@freebsd.org; Fri, 10 Feb 2006 04:23:03 +1100 (EST)
	(envelope-from mail@ozzmosis.com)
X-Authentication-Warning: blizzard.dancer: ozzmosis set sender to
	mail@ozzmosis.com using -f
Date: Fri, 10 Feb 2006 04:23:03 +1100
From: andrew clarke <mail@ozzmosis.com>
To: freebsd-questions@freebsd.org
Message-ID: <20060209172303.GA46771@ozzmosis.com>
References: <20060209084833.GA26877@ozzmosis.com> <43EB35D9.8040409@mac.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <43EB35D9.8040409@mac.com>
User-Agent: Mutt/1.5.11
Subject: Re: fine grained firewall?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2006 17:23:11 -0000

On Thu, Feb 09, 2006 at 07:30:17AM -0500, Chuck Swiger wrote:

> > Is it possible to configure the FreeBSD firewall to block ports on a
> > per-user or per-executable basis?
> > 
> > eg.
> > 
> > - Block /usr/local/bin/irc from connecting to TCP port 6667
> > 
> > - Block user 'johnsmith' from connecting to TCP port 21
> 
> Yes to users (if the connections originate from the firewall box), no to
> per-executables.  The latter seems useless when "cp irc myirc" is all it would
> take to defeat it.  Frankly, neither option is very useful or would be needed
> for a good ruleset...

The latter may not be so useless if the firewall automatically blocked
all executables that were not registered with it. The full path,
filename, md5sum of the executable could be recorded and matched with
its database. Some Windows firewall software works this way.

It may also be useful for logging (not blocking) connections to/from a
certain executable, for traffic accounting.

I see now the option for per-user control in the ipfw manpage.  Not sure
why I missed that before.

     uid user
             Match all TCP or UDP packets sent by or received for a user.  A
             user may be matched by name or identification number.

Thanks,

Regards
Andrew