Date: Tue, 21 Aug 2001 19:36:00 -0400 From: Chip Norkus <wd@arpa.com> To: freebsd-security@freebsd.org Subject: Re: inet socket restriction via group Message-ID: <20010821193550.A8013@anduril.org> In-Reply-To: <20010821182214.H81525-100000@icmp.dhs.org>; from maneo@icmp.dhs.org on Tue, Aug 21, 2001 at 06:24:10PM -0500 References: <20010821182214.H81525-100000@icmp.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue Aug 21, 2001; 06:24PM -0500 c.s. (maneo) peron used 3.3K bytes of bandwidth to send the following:
> greetings;
>
> This is something that i use on a daily basis. I have heard people
> asking questions on how they might restrict members from a certain group
> from creating INET sockets. This is a little something I hacked together.
>
> Iam currently working on another method of doing this; one
> that does not rely on the sysctl mechanism. We will see how that goes.
> But for now..
>
I think you might be reinventing the wheel here, you can do:
ipfw add <ruleno> deny ip from any to any gid <some-gid> out
To disallow people from sending outbound IP traffic. It doesn't stop them
from creating the socket, per-se, but it does stop them from using it for
anything.
HTH,
-wd
--
chip norkus(rl); white_dragon('net'); wd@arpa.com
"That's Tron. He fights for the users." http://telekinesis.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010821193550.A8013>