Date: Sun, 02 Apr 2006 21:40:50 +0200 From: michael <micatod@koproject.org> To: =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org> Cc: questions@freebsd.org Subject: Re: disable listen on ports Message-ID: <443028C2.7050108@koproject.org> In-Reply-To: <44300138.8030502@locolomo.org> References: <85e0e3140604020746t19565d1doc61493b89ec87905@mail.gmail.com> <44300138.8030502@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Erik Nørgaard a écrit : > Niklaus wrote: > >> Hi, >> How do i disable users on a system to run their own http proxy. I >> don't want to allow users who have login accounts on my system to >> listen to any port . How do i do that. > > > Putting up a packet filter as some suggest may break other things. > > Instead, you can take a look at MAC, Mandatory Access Controls. There > is a module mac_portacl(4) that can control this. > > You need to compile your kernel with options MAC and then add > mac_portacl_load="YES" to loader.conf > > But don't ask me how it works, haven't used it. > > Cheers, Erik > I think u're able to use this sample for doing what u want: # Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root i found it in the ipfw explain page: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html Michael.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443028C2.7050108>