From owner-freebsd-questions@FreeBSD.ORG Thu Feb 9 16:57:49 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D73C616A420 for ; Thu, 9 Feb 2006 16:57:49 +0000 (GMT) (envelope-from gayn.winters@bristolsystems.com) Received: from fed1rmmtao01.cox.net (fed1rmmtao01.cox.net [68.230.241.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5272E43D46 for ; Thu, 9 Feb 2006 16:57:49 +0000 (GMT) (envelope-from gayn.winters@bristolsystems.com) Received: from workdog ([68.5.182.86]) by fed1rmmtao01.cox.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP id <20060209165640.CKVL15695.fed1rmmtao01.cox.net@workdog>; Thu, 9 Feb 2006 11:56:40 -0500 From: "Gayn Winters" To: "'Chuck Swiger'" , "'andrew clarke'" Date: Thu, 9 Feb 2006 08:59:52 -0800 Organization: Bristol Systems Inc. Message-ID: <07ac01c62d9a$4161a690$6501a8c0@workdog> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-Reply-To: <43EB35D9.8040409@mac.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Importance: Normal Cc: freebsd-questions@freebsd.org Subject: RE: fine grained firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: gayn.winters@bristolsystems.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 16:57:50 -0000 > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Chuck Swiger > Sent: Thursday, February 09, 2006 4:30 AM > To: andrew clarke > Cc: freebsd-questions@freebsd.org > Subject: Re: fine grained firewall? > > > andrew clarke wrote: > > Is it possible to configure the FreeBSD firewall to block ports on a > > per-user or per-executable basis? > > > > eg. > > > > - Block /usr/local/bin/irc from connecting to TCP port 6667 > > > > - Block user 'johnsmith' from connecting to TCP port 21 > > Yes to users (if the connections originate from the firewall > box), no to > per-executables. The latter seems useless when "cp irc > myirc" is all it would > take to defeat it. Frankly, neither option is very useful or > would be needed for a good ruleset... You can block certain types of use, e.g. block irc, by blocking the outbound ports they use. You can block user access to some things on the internet by only allowing a proxy server such access and then having users authenticate themselves to the proxy server (squid is an example with a lot of functionality, and it runs on FreeBSD.) A lot of people like to block all but a list of applications access to the Internet. This blocking function is often bundled with Anti-spyware programs. The thought is that something not on the list might well be new spyware or other "malware" that has snuck through your security defenses. These programs need to run on the local workstation, and I don't know of any for FreeBSD. While this feature is a pain to manage, it is probably here to stay as the anti-virus vendors gobble up the anti-spyware vendors who seem to like it. Also, don't be surprised if Microsoft eventually puts this functionality into their base OS. A lot of firewall vendors are adding non-traditional functionality to their products. (Anti-virus, anti-spam, proxy server functionality, outbound policy controls, ...) You can do this with your FreeBSD firewall as well. This has the disadvantages of complexity, management, and performance problems. Good luck with your firewall, -gayn Bristol Systems Inc. 714/532-6776 www.bristolsystems.com