PF Restrict user account via pf

fred974

fred974

Hello,

I have a problem and we have asked a more experienced administrator to look at our system (third party).

To do this, we will create a new user, non admin, account to start with.

I remember reading a while ago that it was possible to use the PF firewall to make sure that this user cannot use the system to send information.

For example, if this user installs some app that will make a spam mail server, this should not be possible.

Could any one point me to the right direction for such a thing please?

Thank you.
 
Hi everyone,

So I managed to come up with the following:
Code: 
pass out on $ext_if proto tcp to port 22 user baduser tag tag_baduser        # allow user ssh access
pass out on $ext_if proto udp to port domain user baduser tag tag_baduser    # allow baduser to query DNS
block out quick on $ext_if proto tcp all user baduser ! tagged tag_baduser    # block everything from baduser that hasn't got a tag_baduser tag
Could anyone please tell me if I am going torward the right direction..

To add a layer to difficulty, my 'baduser' exist inside why DB ezjail. Will pf recognize it ?

Any help here will be appreciated :)

Fred
 
PF is a firewall/packet filter. It has absolutely no notion of user accounts. It can only find the userID of applications that are running on the same system. And as there's nothing receiving the data (only passing through) there's no sending or receiving application to get the user from.
 
  • Thanks
Reactions: Oko
fred974 said:
Hi everyone,

So I managed to come up with the following:
Code: 
pass out on $ext_if proto tcp to port 22 user baduser tag tag_baduser        # allow user ssh access
pass out on $ext_if proto udp to port domain user baduser tag tag_baduser    # allow baduser to query DNS
block out quick on $ext_if proto tcp all user baduser ! tagged tag_baduser    # block everything from baduser that hasn't got a tag_baduser tag
Could anyone please tell me if I am going torward the right direction..

To add a layer to difficulty, my 'baduser' exist inside why DB ezjail. Will pf recognize it ?

Any help here will be appreciated :)

Fred
Click to expand...

I hope you are not in IT business because this post will basically disqualify from getting any job in that field.
 
You must log in or register to reply here.
Back
Top