Link to home
Create AccountLog in
Avatar of Balbir Singh
Balbir SinghFlag for United States of America

asked on

PF firewall rule to restrict a user to access any outgoing traffic to port 80 and 443 in freeBSD

I am new to PF firewall and looking for a simple PF rule to execute on my freeBSD 11.3 box.

I have a user named student and would like him to not able to send traffic outside on port 80 and 443

I am still reading the book "The Book of PF" and reading more to learn the basic. But I would really appreciate if someone can help on how can I achieve this? TIA
Avatar of Devin Becker
Devin Becker
Flag of United States of America image

Unfortunately,

I don't think this is possible. PF looks at individual packets, which would not contain something for identifying something like a username.

You could however block the individual IP(assuming that this is a separate computer used by student). Or the reverse and only allow certain IPs past outbound on ports 80 and 443.

The book of PF is a great start, and definitely helped me out with setting up rules on my PfSense router at home. I've also linked the openbsd faq on PF.

https://www.openbsd.org/faq/pf/filter.html

EDIT: wanted to add this excerpt from a post I read on this matter: "The information that a packet filtering router has available to it doesn't allow you to specify some rules you might like to have. For example, packets say what host they come from, but generally not what user. Therefore, you can't enforce restrictions on particular users. Similarly, packets say what port they're going to, but not what application"http://web.deu.edu.tr/doc/oreily/networking/firewall/ch06_01.htm

Hope this helps you out,

Devin Becker
Avatar of Balbir Singh

ASKER

Thanks for the explanation. I am wondering if there is way to block all the network outgoing generated by local machine but not the connection which was established by outside client.

basically, I do not want a user to use SSH SOCKS ( ssh -D <port> server ) while he is able to login to this server. so is there a way using firewall can I block SOCK or all locally generated outgoing http/tcp/udp connection
ASKER CERTIFIED SOLUTION
Avatar of Devin Becker
Devin Becker
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account