Date: Sun, 19 Jun 2005 22:38:45 +0200 From: Peder Blom <peder.blom@bredband.net> To: John Conner <johnc2kk@yahoo.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: ipf: filter by program? Message-ID: <20050619223845.0ae260b2.peder.blom@bredband.net> In-Reply-To: <20050617133554.35550.qmail@web26903.mail.ukl.yahoo.com> References: <20050617133554.35550.qmail@web26903.mail.ukl.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 17 Jun 2005 14:35:54 +0100 (BST) John Conner <johnc2kk@yahoo.co.uk> wrote: > Hello all, > > I was just wondering if it was possible to add program > filtering into an IPF firewall? For example if traffic > is allowed out on port 80 then it may only travel > through this port if, for example, it is coming from > firefox etc. It seems like a pretty useful feature but > as of yet I have been unable to find any documentation > that covers such a filtering rule. Any > feedback/suggestions would be much appreciated, > Other answers in this thread has made it clear that this is not possible using IPF. However, you can achieve something along these lines using jails. Put Firefox in a jail and make sure that there are no other programs in that jail that can access port 80. Then block all outgoing access to port 80, except from the jail ip. It will be a little more complicated to start Firefox, eg "ssh -X jail.ip firefox" instead of "firefox". Another effect is that Firefox will only have access to the jailed environment when you save data (or when it crashes or is a victim of the latest unpatched exploit).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050619223845.0ae260b2.peder.blom>