# pf/ipfw: per-process(user?) restrictions



## nekoexmachina (Feb 6, 2012)

Hi guys!

Could anyone give me a hand of help on this case: I want to allow some proccess (by-name) to connect only to address /some ip/ port /someport/, while having all the other's connections unrestricted. Could I achieve it smoehow?

As I know, on iptables there is functionality to restrict networking for process per its owners' gid/uid. How is it even done and is there any way to do that on FreeBSD?


----------



## frijsdijk (Feb 6, 2012)

It can only be done with outbound connections (only then the uid is known).

For example ipfw:

```
ipfw add 2010 allow tcp from me to any 80 setup out via em0 uid nekoexmachina
```

Pf:

```
pass out on em0 proto tcp from me to any port 80 user nekoexmachina
```


----------



## DutchDaemon (Feb 6, 2012)

pf can also do this on inbound connections where the uid/gid occupying an open port determines whether access is allowed. So you can tell pf that it should only allow incoming UDP connections when those are owned locally by a certain user, e.g.


```
pass  in quick inet proto udp all user rtorrent keep state
```


----------

