Date: Tue, 8 Apr 2008 15:06:56 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: freebsd-net@freebsd.org, luigi@freebsd.org, oleg@freebsd.org Subject: Re: ipfw uid/gid to match listening TCP sockets? Message-ID: <20080408150533.Y10870@fledge.watson.org> In-Reply-To: <fbaf9b70804080543wf85de53hfe0f056a33f9e419@mail.gmail.com> References: <20080407081400.GA78448@dg.local> <20080408121535.D10870@fledge.watson.org> <fbaf9b70804080543wf85de53hfe0f056a33f9e419@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 8 Apr 2008, Yar Tikhiy wrote: >> Be aware that uid/gid/jail rules may become less maintainable as our TCP >> locking becomes more mature. We already jump through some uncomfortable >> hoops to keep it working, but I'm not sure how long that can go on. > > I've always viewed uid/gid rules as a hack that works for now. In the long > run we may want to consider an API allowing privileged apps to punch holes > in the firewall in a controllable manner. Of course, the API should be > agnostic of the particular firewall type. Then, e.g., ftpd(8) would be able > to open its current passive data port only and to a single remote IP, and > the whole port range wouldn't need to be exposed. Such holes could be > handled as dynamic rules/states so that they don't stay there forever if the > app crashes. Once open sourced, we may want to take a look at Apple's new application level firewall parts, which as I understand it are based (at least in part) on our MAC Framework. It allows you to bind network rights to specific applications, although I'm not sure how they accomplish the binding -- be it via labels on executables, or pattern matching on binary names, or what exactly. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080408150533.Y10870>