From owner-freebsd-questions@FreeBSD.ORG Sun Jun 19 20:38:48 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F99516A41C for ; Sun, 19 Jun 2005 20:38:48 +0000 (GMT) (envelope-from peder.blom@bredband.net) Received: from mxfep01.bredband.com (mxfep01.bredband.com [195.54.107.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 751D343D49 for ; Sun, 19 Jun 2005 20:38:46 +0000 (GMT) (envelope-from peder.blom@bredband.net) Received: from hecate ([83.226.130.64] [83.226.130.64]) by mxfep01.bredband.com with SMTP id <20050619203845.LRHO19329.mxfep01.bredband.com@hecate>; Sun, 19 Jun 2005 22:38:45 +0200 Date: Sun, 19 Jun 2005 22:38:45 +0200 From: Peder Blom To: John Conner Message-Id: <20050619223845.0ae260b2.peder.blom@bredband.net> In-Reply-To: <20050617133554.35550.qmail@web26903.mail.ukl.yahoo.com> References: <20050617133554.35550.qmail@web26903.mail.ukl.yahoo.com> X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ipf: filter by program? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 20:38:48 -0000 On Fri, 17 Jun 2005 14:35:54 +0100 (BST) John Conner wrote: > Hello all, > > I was just wondering if it was possible to add program > filtering into an IPF firewall? For example if traffic > is allowed out on port 80 then it may only travel > through this port if, for example, it is coming from > firefox etc. It seems like a pretty useful feature but > as of yet I have been unable to find any documentation > that covers such a filtering rule. Any > feedback/suggestions would be much appreciated, > Other answers in this thread has made it clear that this is not possible using IPF. However, you can achieve something along these lines using jails. Put Firefox in a jail and make sure that there are no other programs in that jail that can access port 80. Then block all outgoing access to port 80, except from the jail ip. It will be a little more complicated to start Firefox, eg "ssh -X jail.ip firefox" instead of "firefox". Another effect is that Firefox will only have access to the jailed environment when you save data (or when it crashes or is a victim of the latest unpatched exploit).