From owner-freebsd-questions@FreeBSD.ORG  Sun Apr  2 15:11:19 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8D60216A400
	for <questions@freebsd.org>; Sun,  2 Apr 2006 15:11:19 +0000 (UTC)
	(envelope-from wmoran@collaborativefusion.com)
Received: from mx00.pub.collaborativefusion.com
	(mx00.pub.collaborativefusion.com [206.210.89.199])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 192E443D46
	for <questions@freebsd.org>; Sun,  2 Apr 2006 15:11:18 +0000 (GMT)
	(envelope-from wmoran@collaborativefusion.com)
Received: from localhost (monrovll-cuda1-24-53-251-44.pittpa.adelphia.net
	[24.53.251.44])
	(AUTH: LOGIN wmoran, TLS: TLSv1/SSLv3,256bits,AES256-SHA)
	by wingspan with esmtp; Sun, 02 Apr 2006 11:11:17 -0400
	id 00056410.442FE995.00001132
Date: Sun, 2 Apr 2006 11:11:16 -0400
From: Bill Moran <wmoran@collaborativefusion.com>
To: Niklaus <niklaus@gmail.com>
Message-Id: <20060402111116.49509825.wmoran@collaborativefusion.com>
In-Reply-To: <85e0e3140604020746t19565d1doc61493b89ec87905@mail.gmail.com>
References: <85e0e3140604020746t19565d1doc61493b89ec87905@mail.gmail.com>
Organization: Collaborative Fusion
X-Mailer: Sylpheed version 1.0.6 (GTK+ 1.2.10; i386-portbld-freebsd5.4)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: questions@freebsd.org
Subject: Re: disable listen on ports
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Apr 2006 15:11:19 -0000

Niklaus <niklaus@gmail.com> wrote:

> Hi,
>  How do i disable users on a system to run their own http proxy. I
> don't want to allow users who have login accounts on my system to
> listen to any port . How do i do that.

Put up a packet filter.  With IPFW you could do:

ipfw add reject tcp from any to me setup

They could then start all the listening daemons they wanted, but the
kernel would prevent any of them from ever getting a connection.  For
UDP, something like this should work:

ipfw add pass udp from me to any keep-state
ipfw add reject udp from any to me

... which would allow connections to be initiated from the machine, but
not to the machine.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com