pf/ipfw: per-process(user?) restrictions

[nekoexmachina]

Hi guys!

Could anyone give me a hand of help on this case: I want to allow some proccess (by-name) to connect only to address /some ip/ port /someport/, while having all the other's connections unrestricted. Could I achieve it smoehow?

As I know, on iptables there is functionality to restrict networking for process per its owners' gid/uid. How is it even done and is there any way to do that on FreeBSD?

 

[frijsdijk]

It can only be done with outbound connections (only then the uid is known).

For example ipfw:

ipfw add 2010 allow tcp from me to any 80 setup out via em0 uid nekoexmachina

Pf:

pass out on em0 proto tcp from me to any port 80 user nekoexmachina

 

[DutchDaemon]

pf can also do this on inbound connections where the uid/gid occupying an open port determines whether access is allowed. So you can tell pf that it should only allow incoming UDP connections when those are owned locally by a certain user, e.g.

pass  in quick inet proto udp all user rtorrent keep state