Re: ipfw uid/gid to match listening TCP sockets?

---

• From: Robert Watson <rwatson@xxxxxxxxxxx>
• Date: Tue, 8 Apr 2008 15:06:56 +0100 (BST)

---

On Tue, 8 Apr 2008, Yar Tikhiy wrote:

Be aware that uid/gid/jail rules may become less maintainable as our TCP locking becomes more mature. We already jump through some uncomfortable hoops to keep it working, but I'm not sure how long that can go on.

I've always viewed uid/gid rules as a hack that works for now. In the long run we may want to consider an API allowing privileged apps to punch holes in the firewall in a controllable manner. Of course, the API should be agnostic of the particular firewall type. Then, e.g., ftpd(8) would be able to open its current passive data port only and to a single remote IP, and the whole port range wouldn't need to be exposed. Such holes could be handled as dynamic rules/states so that they don't stay there forever if the app crashes.

Once open sourced, we may want to take a look at Apple's new application level firewall parts, which as I understand it are based (at least in part) on our MAC Framework. It allows you to bind network rights to specific applications, although I'm not sure how they accomplish the binding -- be it via labels on executables, or pattern matching on binary names, or what exactly.

Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

---

• References:
  • ipfw uid/gid to match listening TCP sockets?
    • From: Yar Tikhiy
  • Re: ipfw uid/gid to match listening TCP sockets?
    • From: Robert Watson
  • Re: ipfw uid/gid to match listening TCP sockets?
    • From: Yar Tikhiy

• Prev by Date: Re: ipfw uid/gid to match listening TCP sockets?
• Next by Date: Re: ipfw uid/gid to match listening TCP sockets?
• Previous by thread: Re: ipfw uid/gid to match listening TCP sockets?
• Next by thread: Re: ipfw uid/gid to match listening TCP sockets?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: OT: Which firewall is best? ... is not going to punch holes through, that malware is not going to punch ... firewall, that you're still protected from unsolicited inbound traffic. ... Well if you're not going to be an advocate for the windows firewall ... No, many applications DO PUNCH HOLES IN THE WINDOWS FIREWALL, and they ... (alt.comp.anti-virus) Re: OT: Which firewall is best? ... firewall, that you're still protected from unsolicited inbound traffic. ... I wasn't advocating for the native windows firewall, ... This software he mentions doesn't "punch holes" in the firewall at ... Now if you value the outgoing notification of resource guzzling third ... (alt.comp.anti-virus) Re: OT: Which firewall is best? ... The fact remains that it's easy to punch holes in Windows Firewall ... Calling an illegal alien an "undocumented worker" is like calling a ... (alt.comp.anti-virus)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)