From owner-freebsd-security Tue Aug 21 16:36:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from arpa.com (arpa.com [199.245.173.5]) by hub.freebsd.org (Postfix) with ESMTP id B4FBE37B40D for ; Tue, 21 Aug 2001 16:36:01 -0700 (PDT) (envelope-from wd@arpa.com) Received: by arpa.com (Postfix, from userid 1004) id B461EBDB7; Tue, 21 Aug 2001 19:36:00 -0400 (EDT) Date: Tue, 21 Aug 2001 19:36:00 -0400 From: Chip Norkus To: freebsd-security@freebsd.org Subject: Re: inet socket restriction via group Message-ID: <20010821193550.A8013@anduril.org> References: <20010821182214.H81525-100000@icmp.dhs.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821182214.H81525-100000@icmp.dhs.org>; from maneo@icmp.dhs.org on Tue, Aug 21, 2001 at 06:24:10PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue Aug 21, 2001; 06:24PM -0500 c.s. (maneo) peron used 3.3K bytes of bandwidth to send the following: > greetings; > > This is something that i use on a daily basis. I have heard people > asking questions on how they might restrict members from a certain group > from creating INET sockets. This is a little something I hacked together. > > Iam currently working on another method of doing this; one > that does not rely on the sysctl mechanism. We will see how that goes. > But for now.. > I think you might be reinventing the wheel here, you can do: ipfw add deny ip from any to any gid out To disallow people from sending outbound IP traffic. It doesn't stop them from creating the socket, per-se, but it does stop them from using it for anything. HTH, -wd -- chip norkus(rl); white_dragon('net'); wd@arpa.com "That's Tron. He fights for the users." http://telekinesis.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message