From owner-freebsd-questions@FreeBSD.ORG Sun Apr 2 19:41:15 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A98C16A427 for ; Sun, 2 Apr 2006 19:41:15 +0000 (UTC) (envelope-from micatod@koproject.org) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0305A43DCD for ; Sun, 2 Apr 2006 19:40:43 +0000 (GMT) (envelope-from micatod@koproject.org) Received: from [192.168.0.12] (lap34-2-82-237-92-40.fbx.proxad.net [82.237.92.40]) by smtp6-g19.free.fr (Postfix) with ESMTP id 0BF1C212EB; Sun, 2 Apr 2006 21:40:34 +0200 (CEST) Message-ID: <443028C2.7050108@koproject.org> Date: Sun, 02 Apr 2006 21:40:50 +0200 From: michael User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051013) X-Accept-Language: fr, en MIME-Version: 1.0 To: =?ISO-8859-1?Q?Erik_N=F8rgaard?= References: <85e0e3140604020746t19565d1doc61493b89ec87905@mail.gmail.com> <44300138.8030502@locolomo.org> In-Reply-To: <44300138.8030502@locolomo.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: questions@freebsd.org Subject: Re: disable listen on ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Apr 2006 19:41:15 -0000 Erik Nørgaard a écrit : > Niklaus wrote: > >> Hi, >> How do i disable users on a system to run their own http proxy. I >> don't want to allow users who have login accounts on my system to >> listen to any port . How do i do that. > > > Putting up a packet filter as some suggest may break other things. > > Instead, you can take a look at MAC, Mandatory Access Controls. There > is a module mac_portacl(4) that can control this. > > You need to compile your kernel with options MAC and then add > mac_portacl_load="YES" to loader.conf > > But don't ask me how it works, haven't used it. > > Cheers, Erik > I think u're able to use this sample for doing what u want: # Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root i found it in the ipfw explain page: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html Michael.