PF firewall rule to restrict a user to access any outgoing traffic to port 80 and 443 in freeBSD

Unfortunately,

I don't think this is possible. PF looks at individual packets, which would not contain something for identifying something like a username.

You could however block the individual IP(assuming that this is a separate computer used by student). Or the reverse and only allow certain IPs past outbound on ports 80 and 443.

The book of PF is a great start, and definitely helped me out with setting up rules on my PfSense router at home. I've also linked the openbsd faq on PF.

https://www.openbsd.org/faq/pf/filter.html

EDIT: wanted to add this excerpt from a post I read on this matter: "The information that a packet filtering router has available to it doesn't allow you to specify some rules you might like to have. For example, packets say what host they come from, but generally not what user. Therefore, you can't enforce restrictions on particular users. Similarly, packets say what port they're going to, but not what application"http://web.deu.edu.tr/doc/oreily/networking/firewall/ch06_01.htm

Hope this helps you out,

Devin Becker

Thanks for the explanation. I am wondering if there is way to block all the network outgoing generated by local machine but not the connection which was established by outside client.

basically, I do not want a user to use SSH SOCKS ( ssh -D <port> server ) while he is able to login to this server. so is there a way using firewall can I block SOCK or all locally generated outgoing http/tcp/udp connection