Can I use PF to filter traffic for a specific process?

[brant]

Hi. I have a general question about the PF firewall. Is it possible to add a filter rule that evaluates an outgoing packet based on the process that is trying to send it? Is that something that it is capable of doing?

 

[kpa]

Yes, assuming the traffic originates from the host itself and is not forwarded traffic. It is limited to filtering by user and group ID of the process owning the socket though. In pf.conf(5) you use something like (example from the manual page):

block out proto { tcp, udp } all
pass  out proto { tcp, udp } all user { < 1000, dhartmei }

 

[brant]

In this case, I really want to filter it by a specific PID, not by the user/group. And yes, I only cared about traffic that was originating locally.

Sounds like it does not have the feature I'm looking for.

 

[kpa]

You do realise that PIDs are not deterministic? In other words if you have a PID from a process now and you could use it in PF rules the PID will be invalid after a reboot with high probability because the processes may have started with different delays and slightly different inputs. The end result would be that your PF rules won't load.

 

[SirDice]

What exactly are you trying to prevent? There may be a better solution.

 

[brant]

You do realise that PIDs are not deterministic?

Yes, I know that. I'm working on a commercial software project and one of the scenarios that we want to have happen is to block all internet traffic except for traffic from particular applications. So, what I was thinking I might do is create a rule to filter by PIDs and maybe store those PIDs in a table. The rule would be added and removed from PF at runtime and the table of PIDs would be maintained by our software.

 

[hansivers]

Maybe you can limit your software to be started by a specific user, and allow only traffic to/from this user in your PF rules?