Hi @misc,
I have a question about pf and its possibility to filter packets by
process group: is it a reasonable practice to use setgid for add some
rules that allow only specific programs to use some services? For
example, only permit the ftp command and firefox to use HTTP and HTTPS
services?
If I create a separate group for each program I want to allow, is there
any additional risk induce by the use of the setgid? Also, does this
practise can be helpful by adding a supplementary layer of protection or
is it useless?
$ ls -l /usr/bin/ftp
-r-xr-sr-x 1 root ftpcmd 151168 Jul 26 2016 /usr/bin/ftp
$ grep ftpcmd /etc/pf.conf
pass out on if proto tcp from (if:0) to any port { 80,443 } group ftpcmd
Kind regards,
Jérôme FRGACIC
PS: I not subscribe to this list, so please add me as recipient if you
reply.