Date: Mon, 11 Sep 2000 15:49:15 -0700 From: Alfred Perlstein <bright@wintelcom.net> To: mi@aldan.algebra.com Cc: Bill Moran <wmoran@columbus.rr.com>, stable@FreeBSD.ORG Subject: Re: firewall rules for applications Message-ID: <20000911154915.X12231@fw.wintelcom.net> In-Reply-To: <200009112246.SAA27038@misha.privatelabs.com>; from mi@aldan.algebra.com on Mon, Sep 11, 2000 at 06:46:44PM -0400 References: <39BD5D43.9231594B@columbus.rr.com> <200009112246.SAA27038@misha.privatelabs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* mi@aldan.algebra.com <mi@aldan.algebra.com> [000911 15:47] wrote: > On 11 Sep, Bill Moran wrote: > = mi@aldan.algebra.com wrote: > = > > = > I wonder how feasible would it be to implement firewall rules that > = > would take into consideration the program (on the local machine) > = > sending/receiving the packets. I know, I can now base the rules on > = > the user/group id, but I may want to go further. > = > = Technically, this is what ports are for. Port 80 is for http, 23 for > = telnet, etc. In a better world, this would be all that's needed. But > = ... > > Mmm, yes, but I may wish to block Communicator from reaching something, > that Lynx or Konqueror users are allowed to reach. Like "Smart > Browsing". > > = > I just read a description of a Windows product, that attempts to > = > fight software offered by sneaky vendors, that tries to contact the > = > vendor over the Internet to send back user's data. The blocking > = > software, supposedly, blocks applications from accessing certain > = > sites. This is not an immediate problem for FreeBSD, but... > = > = Why not prevent the user from installing the trojan to begin with > = (that's basically what that is) > > Because, there may be a legitimate need for the software. Like > Communicator, for example, or Doom/Quake :) > > = The best security will always be trained individuals who are paranoid. > > That's correct. And I'm trying to be one of those and think ahead to see > the time when a giant software packages will be available to me on > FreeBSD, but I'll want to limit their network access. UFS is getting ACLs, I don't know exactly what they will offer but they might include branding that allows one to match the ACLs against ipfw rules. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000911154915.X12231>