ipfw uid/gid to match listening TCP sockets?
    Robert Watson 
    rwatson at FreeBSD.org
       
    Tue Apr  8 14:06:57 UTC 2008
    
    
  
On Tue, 8 Apr 2008, Yar Tikhiy wrote:
>>  Be aware that uid/gid/jail rules may become less maintainable as our TCP 
>> locking becomes more mature.  We already jump through some uncomfortable 
>> hoops to keep it working, but I'm not sure how long that can go on.
>
> I've always viewed uid/gid rules as a hack that works for now. In the long 
> run we may want to consider an API allowing privileged apps to punch holes 
> in the firewall in a controllable manner. Of course, the API should be 
> agnostic of the particular firewall type. Then, e.g., ftpd(8) would be able 
> to open its current passive data port only and to a single remote IP, and 
> the whole port range wouldn't need to be exposed. Such holes could be 
> handled as dynamic rules/states so that they don't stay there forever if the 
> app crashes.
Once open sourced, we may want to take a look at Apple's new application level 
firewall parts, which as I understand it are based (at least in part) on our 
MAC Framework.  It allows you to bind network rights to specific applications, 
although I'm not sure how they accomplish the binding -- be it via labels on 
executables, or pattern matching on binary names, or what exactly.
Robert N M Watson
Computer Laboratory
University of Cambridge
    
    
More information about the freebsd-net
mailing list