On Sun, 25 Nov 2001, Ian Smith wrote:

> On Sat, 24 Nov 2001, Brett Glass wrote:
>
> > FreeBSD doesn't have per-application control of ports and sockets,
> > which is what ZoneAlarm *tries* to provide. It'd be nice to add this
> > as built-in feature, either in the base OS or in ipfw.
>
> Yeah, Windows security 'features' for FreeBSD, just what we lack! :)
>
> Can't you do 'per-app' stuff in ipfw with users and/or groups? Frankly
> I'm more contented relying on having port access control in rc.firewall.
>
> Cheers, Ian

I guess it's a bit late to jump in here, but I'd like to throw in a bit of
information.

While ipfw does allow you to filter by uid/gid, that feature falls short
of the goal of filtering an app. Right now, sockets maintain the uid of
the process that spawned them. Hence, apache worker threads still would
be filtered as uid 0, even though they've changed credentials and are
running as uid 80 (or nobody, or whatever you set it to.)

If merged in with some nifty ACL system which propegated rights through
forks, per-app firewalling _could_ be an awesome security feature - you
could restrict bind to doing connections to port 53 only, you could
restrict httpd to port 80, etc. This is, of course, only one small part
of the ideal secure system, and wouldn't make a huge impact and many other
features are present (many of which are being working on by Robert Watson
& associates.)

In any case, don't knock the idea; if someone had the time to implement a
solid app-level firewalling, I'm sure it could be put to good use.

Mike "Silby" Silbersack

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]