PF firewall rule to restrict a user to access any outgoing traffic to port 80 and 443 in freeBSD
I am new to PF firewall and looking for a simple PF rule to execute on my freeBSD 11.3 box.
I have a user named student and would like him to not able to send traffic outside on port 80 and 443
I am still reading the book "The Book of PF" and reading more to learn the basic. But I would really appreciate if someone can help on how can I achieve this? TIA
I have a user named student and would like him to not able to send traffic outside on port 80 and 443
I am still reading the book "The Book of PF" and reading more to learn the basic. But I would really appreciate if someone can help on how can I achieve this? TIA
ASKER
Thanks for the explanation. I am wondering if there is way to block all the network outgoing generated by local machine but not the connection which was established by outside client.
basically, I do not want a user to use SSH SOCKS ( ssh -D <port> server ) while he is able to login to this server. so is there a way using firewall can I block SOCK or all locally generated outgoing http/tcp/udp connection
basically, I do not want a user to use SSH SOCKS ( ssh -D <port> server ) while he is able to login to this server. so is there a way using firewall can I block SOCK or all locally generated outgoing http/tcp/udp connection
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't think this is possible. PF looks at individual packets, which would not contain something for identifying something like a username.
You could however block the individual IP(assuming that this is a separate computer used by student). Or the reverse and only allow certain IPs past outbound on ports 80 and 443.
The book of PF is a great start, and definitely helped me out with setting up rules on my PfSense router at home. I've also linked the openbsd faq on PF.
https://www.openbsd.org/fa
EDIT: wanted to add this excerpt from a post I read on this matter: "The information that a packet filtering router has available to it doesn't allow you to specify some rules you might like to have. For example, packets say what host they come from, but generally not what user. Therefore, you can't enforce restrictions on particular users. Similarly, packets say what port they're going to, but not what application"http://web.deu.edu.tr/doc/
Hope this helps you out,
Devin Becker