We help IT Professionals succeed at work.

PF firewall rule to restrict a user to access any outgoing traffic to port 80 and 443 in freeBSD

Balbir Singh
Balbir Singh asked
I am new to PF firewall and looking for a simple PF rule to execute on my freeBSD 11.3 box.

I have a user named student and would like him to not able to send traffic outside on port 80 and 443

I am still reading the book "The Book of PF" and reading more to learn the basic. But I would really appreciate if someone can help on how can I achieve this? TIA
Watch Question

Devin BeckerIdentity Management and Security
Distinguished Expert 2018


I don't think this is possible. PF looks at individual packets, which would not contain something for identifying something like a username.

You could however block the individual IP(assuming that this is a separate computer used by student). Or the reverse and only allow certain IPs past outbound on ports 80 and 443.

The book of PF is a great start, and definitely helped me out with setting up rules on my PfSense router at home. I've also linked the openbsd faq on PF.


EDIT: wanted to add this excerpt from a post I read on this matter: "The information that a packet filtering router has available to it doesn't allow you to specify some rules you might like to have. For example, packets say what host they come from, but generally not what user. Therefore, you can't enforce restrictions on particular users. Similarly, packets say what port they're going to, but not what application"http://web.deu.edu.tr/doc/oreily/networking/firewall/ch06_01.htm

Hope this helps you out,

Devin Becker
Balbir SinghSystem Administrator


Thanks for the explanation. I am wondering if there is way to block all the network outgoing generated by local machine but not the connection which was established by outside client.

basically, I do not want a user to use SSH SOCKS ( ssh -D <port> server ) while he is able to login to this server. so is there a way using firewall can I block SOCK or all locally generated outgoing http/tcp/udp connection
Identity Management and Security
Distinguished Expert 2018
If I am understanding you right, you would like a connection from the outside to be able to send and receive packets from a host(ie. using SSH or other protocol) that is inside the network, but not be able to establish the same connection from that host inside the network going out?

Normally this is the other way around. For example: if you have a rule that says block all incoming traffic, but then you establish a connection from INSIDE the network going out(ie connecting to e-e.com, it will allow the packets from e-e.com to come back IN to the network since the connection was established from IN the network.

Another option would be to implement something like a captive portal on web sign in. This would allow you to control traffic on a per user basis, I don't know all the rules that apply to it, but I know you could make the timeout for certain users or groups of users longer(ie. 365 days) so that you don't have to authenticate to the network every time you connect. If this interested you "NoCatSplash" is a popular captive portal solution on FreeBSD