From owner-freebsd-stable  Mon Sep 11 15:47:13 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from privatecube.privatelabs.com (privatecube.privatelabs.com [198.143.31.30])
	by hub.freebsd.org (Postfix) with ESMTP id B743F37B43C
	for <stable@freebsd.org>; Mon, 11 Sep 2000 15:47:07 -0700 (PDT)
Received: from misha.privatelabs.com (root@misha.privatelabs.com [198.143.31.6])
	by privatecube.privatelabs.com (8.9.3/8.9.2) with ESMTP id SAA09107;
	Mon, 11 Sep 2000 18:06:12 -0400
Received: from virtual-estates.net (mi@localhost [127.0.0.1])
	by misha.privatelabs.com (8.9.3/8.9.3) with ESMTP id SAA27038;
	Mon, 11 Sep 2000 18:46:46 -0400 (EDT)
	(envelope-from mi@virtual-estates.net)
Message-Id: <200009112246.SAA27038@misha.privatelabs.com>
Date: Mon, 11 Sep 2000 18:46:44 -0400 (EDT)
From: mi@aldan.algebra.com
Subject: Re: firewall rules for applications
To: Bill Moran <wmoran@columbus.rr.com>
Cc: stable@freebsd.org
In-Reply-To: <39BD5D43.9231594B@columbus.rr.com>
MIME-Version: 1.0
Content-Type: TEXT/plain; CHARSET=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On 11 Sep, Bill Moran wrote:
= mi@aldan.algebra.com wrote:
= > 
= > I wonder how  feasible would it be to implement  firewall rules that
= > would take  into consideration  the program  (on the  local machine)
= > sending/receiving the packets.  I know, I can now base  the rules on
= > the user/group id, but I may want to go further.
=
= Technically, this is what  ports are for. Port 80 is  for http, 23 for
= telnet, etc. In  a better world, this would be  all that's needed. But
= ...

Mmm, yes, but I may wish  to block Communicator from reaching something,
that  Lynx  or  Konqueror  users  are  allowed  to  reach.  Like  "Smart
Browsing".

= > I just  read a description  of a  Windows product, that  attempts to
= > fight software offered by sneaky  vendors, that tries to contact the
= > vendor  over the  Internet to  send back  user's data.  The blocking
= > software,  supposedly, blocks  applications  from accessing  certain
= > sites. This is not an immediate problem for FreeBSD, but...
=
= Why not  prevent the  user from  installing the  trojan to  begin with
= (that's basically what that is)

Because,  there  may  be  a  legitimate  need  for  the  software.  Like
Communicator, for example, or Doom/Quake :)

= The best security will always be trained individuals who are paranoid.

That's correct. And I'm trying to be one of those and think ahead to see
the  time when  a giant  software packages  will be  available to  me on
FreeBSD, but I'll want to limit their network access.

	-mi




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message