Hi. I have a general question about the PF firewall. Is it possible to add a filter rule that evaluates an outgoing packet based on the process that is trying to send it? Is that something that it is capable of doing?
Yes, assuming the traffic originates from the host itself and is not forwarded traffic. It is limited to filtering by user and group ID of the process owning the socket though. In pf.conf(5) you use something like (example from the manual page):
Code:
block out proto { tcp, udp } all
pass out proto { tcp, udp } all user { < 1000, dhartmei }
You do realise that PIDs are not deterministic? In other words if you have a PID from a process now and you could use it in PF rules the PID will be invalid after a reboot with high probability because the processes may have started with different delays and slightly different inputs. The end result would be that your PF rules won't load.
Yes, I know that. I'm working on a commercial software project and one of the scenarios that we want to have happen is to block all internet traffic except for traffic from particular applications. So, what I was thinking I might do is create a rule to filter by PIDs and maybe store those PIDs in a table. The rule would be added and removed from PF at runtime and the table of PIDs would be maintained by our software.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.