From owner-freebsd-stable  Mon Sep 11 15:49:28 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id EFACB37B43E
	for <stable@FreeBSD.ORG>; Mon, 11 Sep 2000 15:49:23 -0700 (PDT)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id e8BMnFu03887;
	Mon, 11 Sep 2000 15:49:15 -0700 (PDT)
Date: Mon, 11 Sep 2000 15:49:15 -0700
From: Alfred Perlstein <bright@wintelcom.net>
To: mi@aldan.algebra.com
Cc: Bill Moran <wmoran@columbus.rr.com>, stable@FreeBSD.ORG
Subject: Re: firewall rules for applications
Message-ID: <20000911154915.X12231@fw.wintelcom.net>
References: <39BD5D43.9231594B@columbus.rr.com> <200009112246.SAA27038@misha.privatelabs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <200009112246.SAA27038@misha.privatelabs.com>; from mi@aldan.algebra.com on Mon, Sep 11, 2000 at 06:46:44PM -0400
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

* mi@aldan.algebra.com <mi@aldan.algebra.com> [000911 15:47] wrote:
> On 11 Sep, Bill Moran wrote:
> = mi@aldan.algebra.com wrote:
> = > 
> = > I wonder how  feasible would it be to implement  firewall rules that
> = > would take  into consideration  the program  (on the  local machine)
> = > sending/receiving the packets.  I know, I can now base  the rules on
> = > the user/group id, but I may want to go further.
> =
> = Technically, this is what  ports are for. Port 80 is  for http, 23 for
> = telnet, etc. In  a better world, this would be  all that's needed. But
> = ...
> 
> Mmm, yes, but I may wish  to block Communicator from reaching something,
> that  Lynx  or  Konqueror  users  are  allowed  to  reach.  Like  "Smart
> Browsing".
> 
> = > I just  read a description  of a  Windows product, that  attempts to
> = > fight software offered by sneaky  vendors, that tries to contact the
> = > vendor  over the  Internet to  send back  user's data.  The blocking
> = > software,  supposedly, blocks  applications  from accessing  certain
> = > sites. This is not an immediate problem for FreeBSD, but...
> =
> = Why not  prevent the  user from  installing the  trojan to  begin with
> = (that's basically what that is)
> 
> Because,  there  may  be  a  legitimate  need  for  the  software.  Like
> Communicator, for example, or Doom/Quake :)
> 
> = The best security will always be trained individuals who are paranoid.
> 
> That's correct. And I'm trying to be one of those and think ahead to see
> the  time when  a giant  software packages  will be  available to  me on
> FreeBSD, but I'll want to limit their network access.

UFS is getting ACLs, I don't know exactly what they will offer but
they might include branding that allows one to match the ACLs against
ipfw rules.

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message