fine grained firewall?

Chuck Swiger cswiger at
Thu Feb 9 10:03:45 PST 2006

andrew clarke wrote:
> On Thu, Feb 09, 2006 at 07:30:17AM -0500, Chuck Swiger wrote:
[ ... ]
>> Yes to users (if the connections originate from the firewall box), no to
>> per-executables.  The latter seems useless when "cp irc myirc" is all it would
>> take to defeat it.  Frankly, neither option is very useful or would be needed
>> for a good ruleset...
> The latter may not be so useless if the firewall automatically blocked
> all executables that were not registered with it. The full path,
> filename, md5sum of the executable could be recorded and matched with
> its database. Some Windows firewall software works this way.

Sure.  While Windows benefits from this, an end-user workstation which can run
arbitrary executables the user downloads from who-knows-where, is not something
I would call a firewall.  It's a workstation running firewall software.

A firewall is the component of a network topology which enforces a security
policy by granting or forbidding access at a chokepoint that network traffic
cannot circumvent, and functions best (ie, most securely) when the firewall is
locked down and running zero or as few services or programs as are required for
baseline functionality and remote management.

> It may also be useful for logging (not blocking) connections to/from a
> certain executable, for traffic accounting.
> I see now the option for per-user control in the ipfw manpage.  Not sure
> why I missed that before.
>      uid user
>              Match all TCP or UDP packets sent by or received for a user.  A
>              user may be matched by name or identification number.

That's the one, yes.  :-)  I think it's only useful where one end of the
connection is local, though....


More information about the freebsd-questions mailing list