Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Aug 2001 19:36:00 -0400
From:      Chip Norkus <wd@arpa.com>
To:        freebsd-security@freebsd.org
Subject:   Re: inet socket restriction via group
Message-ID:  <20010821193550.A8013@anduril.org>
In-Reply-To: <20010821182214.H81525-100000@icmp.dhs.org>; from maneo@icmp.dhs.org on Tue, Aug 21, 2001 at 06:24:10PM -0500
References:  <20010821182214.H81525-100000@icmp.dhs.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue Aug 21, 2001; 06:24PM -0500 c.s. (maneo) peron used 3.3K bytes of bandwidth to send the following:
> greetings;
> 
>         This is something that i use on a daily basis. I have heard people
> asking questions on how they might restrict members from a certain group
> from creating INET sockets. This is a little something I hacked together.
> 
>         Iam currently working on another method of doing this; one
> that does not rely on the sysctl mechanism. We will see how that goes.
> But for now..
> 

I think you might be reinventing the wheel here, you can do:

ipfw add <ruleno> deny ip from any to any gid <some-gid> out

To disallow people from sending outbound IP traffic.  It doesn't stop them
from creating the socket, per-se, but it does stop them from using it for
anything.

HTH,

-wd
-- 
chip norkus(rl); white_dragon('net');      wd@arpa.com
"That's Tron.  He fights for the users."   http://telekinesis.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010821193550.A8013>