ipf: filter by program?

Peder Blom peder.blom at bredband.net
Sun Jun 19 20:38:48 GMT 2005


On Fri, 17 Jun 2005 14:35:54 +0100 (BST)
John Conner <johnc2kk at yahoo.co.uk> wrote:

> Hello all,
> 
> I was just wondering if it was possible to add program
> filtering into an IPF firewall? For example if traffic
> is allowed out on port 80 then it may only travel
> through this port if, for example, it is coming from
> firefox etc. It seems like a pretty useful feature but
> as of yet I have been unable to find any documentation
> that covers such a filtering rule. Any
> feedback/suggestions would be much appreciated,
> 

Other answers in this thread has made it clear that this is not possible
using IPF. However, you can achieve something along these lines using
jails.

Put Firefox in a jail and make sure that there are no other programs in
that jail that can access port 80. Then block all outgoing access to
port 80, except from the jail ip.

It will be a little more complicated to start Firefox, eg "ssh -X
jail.ip firefox" instead of "firefox". Another effect is that Firefox
will only have access to the jailed environment when you save data (or
when it crashes or is a victim of the latest unpatched exploit).



More information about the freebsd-questions mailing list