On Sun, Mar 12, 2017 at 07:13:08PM +0100, Jrme FRGACIC wrote:
> Hi @misc,
>
> I have a question about pf and its possibility to filter packets by process
> group: is it a reasonable practice to use setgid for add some rules that
> allow only specific programs to use some services? For example, only permit
> the ftp command and firefox to use HTTP and HTTPS services?
>
> If I create a separate group for each program I want to allow, is there any
> additional risk induce by the use of the setgid? Also, does this practise
> can be helpful by adding a supplementary layer of protection or is it
> useless?
>
> $ ls -l /usr/bin/ftp
> -r-xr-sr-x 1 root ftpcmd 151168 Jul 26 2016 /usr/bin/ftp
> $ grep ftpcmd /etc/pf.conf
> pass out on if proto tcp from (if:0) to any port { 80,443 } group ftpcmd
>
> Kind regards,
>
>
> Jérôme FRGACIC
Your problem is already solved - it is called 'proxy' :)
j.
