Date: Sun, 2 Dec 2001 22:53:58 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: Brett Glass <brett@lariat.org>, Kris Kennaway <kris@obsecurity.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: Security zone Message-ID: <20011202224820.B505-100000@achilles.silby.com> In-Reply-To: <Pine.BSF.3.96.1011125230455.14871C-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 25 Nov 2001, Ian Smith wrote: > On Sat, 24 Nov 2001, Brett Glass wrote: > > > FreeBSD doesn't have per-application control of ports and sockets, > > which is what ZoneAlarm *tries* to provide. It'd be nice to add this > > as built-in feature, either in the base OS or in ipfw. > > Yeah, Windows security 'features' for FreeBSD, just what we lack! :) > > Can't you do 'per-app' stuff in ipfw with users and/or groups? Frankly > I'm more contented relying on having port access control in rc.firewall. > > Cheers, Ian I guess it's a bit late to jump in here, but I'd like to throw in a bit of information. While ipfw does allow you to filter by uid/gid, that feature falls short of the goal of filtering an app. Right now, sockets maintain the uid of the process that spawned them. Hence, apache worker threads still would be filtered as uid 0, even though they've changed credentials and are running as uid 80 (or nobody, or whatever you set it to.) If merged in with some nifty ACL system which propegated rights through forks, per-app firewalling _could_ be an awesome security feature - you could restrict bind to doing connections to port 53 only, you could restrict httpd to port 80, etc. This is, of course, only one small part of the ideal secure system, and wouldn't make a huge impact and many other features are present (many of which are being working on by Robert Watson & associates.) In any case, don't knock the idea; if someone had the time to implement a solid app-level firewalling, I'm sure it could be put to good use. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011202224820.B505-100000>