On 2019-02-24, Frank Beuth <secli...@boxdan.com> wrote: > On Sun, Feb 24, 2019 at 09:09:06AM +0100, Denis Fondras wrote: >>On Sun, Feb 24, 2019 at 01:43:08PM +0700, Frank Beuth wrote: >>> Is it possible to restrict network access on a per-user or per-application >>> (rather than per-port) basis? >>> >>> pf does not seem to have any capability to do this, maybe I missed >>> something. >>> >> >>Don't know what you are aiming to do but pf rules have a "user" keyword. >> > > Example: start an SSH tunnel with a SOCKS listener on localhost:8080, then > ensure all outgoing application traffic uses the SSH tunnel instead of the > shady public WiFi network I am connected to. > > In this case, it looks like that can be done by creating a user `sshtunnel`, > starting the SSH tunnel as that user, and then using the pf rule to block all > egress traffic which is not either to localhost or from user `sshtunnel`. > > Does that make sense? > >
PF 'user' should do the trick. Note: it only works for TCP/UDP but for this you should be able to do something like block all pass inet proto tcp to 192.0.2.1 port 22 user sshtunnel However if possible I would suggest either ssh tun forwarding or a VPN. ssh socks forwarding is only for TCP which might be a bit restrictive, plus you'll need special setup for applications with socks that you won't need with tun forwarding or VPN.
