Date: Thu, 09 Feb 2006 13:03:48 -0500 From: Chuck Swiger <cswiger@mac.com> To: andrew clarke <mail@ozzmosis.com> Cc: freebsd-questions@freebsd.org Subject: Re: fine grained firewall? Message-ID: <43EB8404.7040009@mac.com> In-Reply-To: <20060209172303.GA46771@ozzmosis.com> References: <20060209084833.GA26877@ozzmosis.com> <43EB35D9.8040409@mac.com> <20060209172303.GA46771@ozzmosis.com>
next in thread | previous in thread | raw e-mail | index | archive | help
andrew clarke wrote: > On Thu, Feb 09, 2006 at 07:30:17AM -0500, Chuck Swiger wrote: [ ... ] >> Yes to users (if the connections originate from the firewall box), no to >> per-executables. The latter seems useless when "cp irc myirc" is all it would >> take to defeat it. Frankly, neither option is very useful or would be needed >> for a good ruleset... > > The latter may not be so useless if the firewall automatically blocked > all executables that were not registered with it. The full path, > filename, md5sum of the executable could be recorded and matched with > its database. Some Windows firewall software works this way. Sure. While Windows benefits from this, an end-user workstation which can run arbitrary executables the user downloads from who-knows-where, is not something I would call a firewall. It's a workstation running firewall software. A firewall is the component of a network topology which enforces a security policy by granting or forbidding access at a chokepoint that network traffic cannot circumvent, and functions best (ie, most securely) when the firewall is locked down and running zero or as few services or programs as are required for baseline functionality and remote management. > It may also be useful for logging (not blocking) connections to/from a > certain executable, for traffic accounting. > > I see now the option for per-user control in the ipfw manpage. Not sure > why I missed that before. > > uid user > Match all TCP or UDP packets sent by or received for a user. A > user may be matched by name or identification number. That's the one, yes. :-) I think it's only useful where one end of the connection is local, though.... -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43EB8404.7040009>