From owner-freebsd-questions@FreeBSD.ORG Fri Jun 17 19:08:49 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F19FE16A41C for ; Fri, 17 Jun 2005 19:08:49 +0000 (GMT) (envelope-from xfb52@dial.pipex.com) Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk [195.188.213.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9073343D48 for ; Fri, 17 Jun 2005 19:08:48 +0000 (GMT) (envelope-from xfb52@dial.pipex.com) Received: from [82.41.37.55] ([82.41.37.55]) by smtp-out3.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.6713); Fri, 17 Jun 2005 20:09:28 +0100 Message-ID: <42B31FBF.1040008@dial.pipex.com> Date: Fri, 17 Jun 2005 20:08:47 +0100 From: Alex Zbyslaw User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.8) Gecko/20050530 X-Accept-Language: en, en-us, pl MIME-Version: 1.0 To: John Conner References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 17 Jun 2005 19:09:28.0545 (UTC) FILETIME=[15938D10:01C57370] Cc: freebsd-questions@freebsd.org Subject: Re: filter by program? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2005 19:08:50 -0000 John Conner wrote: >I was just wondering if it was possible to add program >filtering into an IPF firewall? For example if traffic >is allowed out on port 80 then it may only travel >through this port if, for example, it is coming from >firefox etc. It seems like a pretty useful feature but >as of yet I have been unable to find any documentation >that covers such a filtering rule. > IPF, IPFW and PF are all *packet* filters (hence the P in all of them). Packets have no idea which application they originated from or which application is going to receive them. If you aren't sure what a packet is, then you could start with man ip, tcp and udp, move on to relevant RFCs or find a book on networking. I'm sure you could get recommendations here if you asked (and who knows, if you searched the archive you might find some). What you are asking for is *application* level filtering which is generally much harder because the protocols involved are more complicated. To achieve the specific example you mention (allow Firefox, disallow everything else) you might be able to achieve something like that by forcing all your clients to use a proxy server and using that to filter out connections you do not want. Whether anyone has written a proxy server that filters on the client type seems doubtful. That kind of info is easy to spoof (see Opera) and quite what the point would be, I cannot see. If you don't want browsers other than Firefox running then delete them from your systems ;-) --Alex