On Sun, Feb 24, 2019 at 09:09:06AM +0100, Denis Fondras wrote:
On Sun, Feb 24, 2019 at 01:43:08PM +0700, Frank Beuth wrote:
Is it possible to restrict network access on a per-user or per-application
(rather than per-port) basis?
pf does not seem to have any capability to do this, maybe I missed something.
Don't know what you are aiming to do but pf rules have a "user" keyword.
Example: start an SSH tunnel with a SOCKS listener on localhost:8080, then
ensure all outgoing application traffic uses the SSH tunnel instead of the
shady public WiFi network I am connected to.
In this case, it looks like that can be done by creating a user `sshtunnel`,
starting the SSH tunnel as that user, and then using the pf rule to block all
egress traffic which is not either to localhost or from user `sshtunnel`.
Does that make sense?
