From owner-freebsd-questions@FreeBSD.ORG Thu Feb 9 18:03:45 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9EBA116A420 for ; Thu, 9 Feb 2006 18:03:45 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AF1443D48 for ; Thu, 9 Feb 2006 18:03:45 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id A4AEC5C78; Thu, 9 Feb 2006 13:03:44 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20531-09; Thu, 9 Feb 2006 13:03:43 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-67-226.ny325.east.verizon.net [68.161.67.226]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 34AE75C6C; Thu, 9 Feb 2006 13:03:43 -0500 (EST) Message-ID: <43EB8404.7040009@mac.com> Date: Thu, 09 Feb 2006 13:03:48 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: andrew clarke References: <20060209084833.GA26877@ozzmosis.com> <43EB35D9.8040409@mac.com> <20060209172303.GA46771@ozzmosis.com> In-Reply-To: <20060209172303.GA46771@ozzmosis.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-questions@freebsd.org Subject: Re: fine grained firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 18:03:45 -0000 andrew clarke wrote: > On Thu, Feb 09, 2006 at 07:30:17AM -0500, Chuck Swiger wrote: [ ... ] >> Yes to users (if the connections originate from the firewall box), no to >> per-executables. The latter seems useless when "cp irc myirc" is all it would >> take to defeat it. Frankly, neither option is very useful or would be needed >> for a good ruleset... > > The latter may not be so useless if the firewall automatically blocked > all executables that were not registered with it. The full path, > filename, md5sum of the executable could be recorded and matched with > its database. Some Windows firewall software works this way. Sure. While Windows benefits from this, an end-user workstation which can run arbitrary executables the user downloads from who-knows-where, is not something I would call a firewall. It's a workstation running firewall software. A firewall is the component of a network topology which enforces a security policy by granting or forbidding access at a chokepoint that network traffic cannot circumvent, and functions best (ie, most securely) when the firewall is locked down and running zero or as few services or programs as are required for baseline functionality and remote management. > It may also be useful for logging (not blocking) connections to/from a > certain executable, for traffic accounting. > > I see now the option for per-user control in the ipfw manpage. Not sure > why I missed that before. > > uid user > Match all TCP or UDP packets sent by or received for a user. A > user may be matched by name or identification number. That's the one, yes. :-) I think it's only useful where one end of the connection is local, though.... -- -Chuck