Date: Thu, 9 Feb 2006 08:59:52 -0800 From: "Gayn Winters" <gayn.winters@bristolsystems.com> To: "'Chuck Swiger'" <cswiger@mac.com>, "'andrew clarke'" <mail@ozzmosis.com> Cc: freebsd-questions@freebsd.org Subject: RE: fine grained firewall? Message-ID: <07ac01c62d9a$4161a690$6501a8c0@workdog> In-Reply-To: <43EB35D9.8040409@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Chuck Swiger > Sent: Thursday, February 09, 2006 4:30 AM > To: andrew clarke > Cc: freebsd-questions@freebsd.org > Subject: Re: fine grained firewall? > > > andrew clarke wrote: > > Is it possible to configure the FreeBSD firewall to block ports on a > > per-user or per-executable basis? > > > > eg. > > > > - Block /usr/local/bin/irc from connecting to TCP port 6667 > > > > - Block user 'johnsmith' from connecting to TCP port 21 > > Yes to users (if the connections originate from the firewall > box), no to > per-executables. The latter seems useless when "cp irc > myirc" is all it would > take to defeat it. Frankly, neither option is very useful or > would be needed for a good ruleset... You can block certain types of use, e.g. block irc, by blocking the outbound ports they use. You can block user access to some things on the internet by only allowing a proxy server such access and then having users authenticate themselves to the proxy server (squid is an example with a lot of functionality, and it runs on FreeBSD.) A lot of people like to block all but a list of applications access to the Internet. This blocking function is often bundled with Anti-spyware programs. The thought is that something not on the list might well be new spyware or other "malware" that has snuck through your security defenses. These programs need to run on the local workstation, and I don't know of any for FreeBSD. While this feature is a pain to manage, it is probably here to stay as the anti-virus vendors gobble up the anti-spyware vendors who seem to like it. Also, don't be surprised if Microsoft eventually puts this functionality into their base OS. A lot of firewall vendors are adding non-traditional functionality to their products. (Anti-virus, anti-spam, proxy server functionality, outbound policy controls, ...) You can do this with your FreeBSD firewall as well. This has the disadvantages of complexity, management, and performance problems. Good luck with your firewall, -gayn Bristol Systems Inc. 714/532-6776 www.bristolsystems.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?07ac01c62d9a$4161a690$6501a8c0>