Hi Luke, you can have rules to filter by user for both incoming and outgoing connections, see http://man.openbsd.org/OpenBSD-6.1/pf.conf.5#user
I don't think there's too much gain in adding support for this kinda thing in pledge but that's for the devs to decide. Regards, Florian Am 26. April 2017 10:09:18 MESZ schrieb Luke Small <lukensm...@gmail.com>: >Would it be a good idea to make a pledge like call that limits a >process >from connecting to ports and/or hosts? Maybe it could be done in way >that >the kernel is made aware of the limitations like in a pledge call and >while >the process is alive, the kernel spawns pf rules based upon the socket >ports that are created to connect to remote host ports. > >You could conceivably do things like limiting ntpd to predetermined >hosts >and port 123 and 53 on the respective processes involved. > >It would make processes that need the inet pledge permission merely to >use >libhiredis to connect to a Redis database more safe.