From owner-freebsd-questions@FreeBSD.ORG Sun Jun 19 21:10:53 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D214C16A41C for ; Sun, 19 Jun 2005 21:10:53 +0000 (GMT) (envelope-from johnc2kk@yahoo.co.uk) Received: from web26907.mail.ukl.yahoo.com (web26907.mail.ukl.yahoo.com [217.146.176.96]) by mx1.FreeBSD.org (Postfix) with SMTP id 5211343D48 for ; Sun, 19 Jun 2005 21:10:53 +0000 (GMT) (envelope-from johnc2kk@yahoo.co.uk) Received: (qmail 57604 invoked by uid 60001); 19 Jun 2005 21:10:51 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=aRs4kLBZGAG84+COiYmp/xG9m60yAF4JfbX80HotxZAHCaxHPt5RQGw4Pj4R3E0xPyOJOeAziy17TSRb5Qahur9SS5zyVRQ/L+8cJG2CsDNVxWJDtsBxTIfyoqIx/1VTCqRp8fjsWlUGc6FulFN0XlfyIIOHzOReUf5BGSksxNM= ; Message-ID: <20050619211051.57602.qmail@web26907.mail.ukl.yahoo.com> Received: from [81.6.246.92] by web26907.mail.ukl.yahoo.com via HTTP; Sun, 19 Jun 2005 22:10:51 BST Date: Sun, 19 Jun 2005 22:10:51 +0100 (BST) From: John Conner To: Peder Blom In-Reply-To: <20050619223845.0ae260b2.peder.blom@bredband.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: ipf: filter by program? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 21:10:53 -0000 --- Peder Blom wrote: > On Fri, 17 Jun 2005 14:35:54 +0100 (BST) > John Conner wrote: > > > Hello all, > > > > I was just wondering if it was possible to add > program > > filtering into an IPF firewall? For example if > traffic > > is allowed out on port 80 then it may only travel > > through this port if, for example, it is coming > from > > firefox etc. It seems like a pretty useful feature > but > > as of yet I have been unable to find any > documentation > > that covers such a filtering rule. Any > > feedback/suggestions would be much appreciated, > > > > Other answers in this thread has made it clear that > this is not possible > using IPF. However, you can achieve something along > these lines using > jails. > > Put Firefox in a jail and make sure that there are > no other programs in > that jail that can access port 80. Then block all > outgoing access to > port 80, except from the jail ip. > > It will be a little more complicated to start > Firefox, eg "ssh -X > jail.ip firefox" instead of "firefox". Another > effect is that Firefox > will only have access to the jailed environment when > you save data (or > when it crashes or is a victim of the latest > unpatched exploit). > > Thanks Peder, thats a very good idea :) Think ill get on to that right away, cheers. John ___________________________________________________________ How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com