fine grained firewall?

andrew clarke mail at
Thu Feb 9 09:23:11 PST 2006

On Thu, Feb 09, 2006 at 07:30:17AM -0500, Chuck Swiger wrote:

> > Is it possible to configure the FreeBSD firewall to block ports on a
> > per-user or per-executable basis?
> > 
> > eg.
> > 
> > - Block /usr/local/bin/irc from connecting to TCP port 6667
> > 
> > - Block user 'johnsmith' from connecting to TCP port 21
> Yes to users (if the connections originate from the firewall box), no to
> per-executables.  The latter seems useless when "cp irc myirc" is all it would
> take to defeat it.  Frankly, neither option is very useful or would be needed
> for a good ruleset...

The latter may not be so useless if the firewall automatically blocked
all executables that were not registered with it. The full path,
filename, md5sum of the executable could be recorded and matched with
its database. Some Windows firewall software works this way.

It may also be useful for logging (not blocking) connections to/from a
certain executable, for traffic accounting.

I see now the option for per-user control in the ipfw manpage.  Not sure
why I missed that before.

     uid user
             Match all TCP or UDP packets sent by or received for a user.  A
             user may be matched by name or identification number.



More information about the freebsd-questions mailing list