g...@lexort.com (Greg Troxel) writes: >It may be that the firewall rules should be based on the process's >uid/gid, and that the concept of sockets having owners is just a red herring.
Even filtering packets on some guessed uid/gid value is questionable as processes don't send or receive packets. They do system calls on socket descriptors. You could add some filter to sockets and control addresses used by bind(), connect() and sendto/sendmsg/sendmmsg() syscalls for each user. The "privileged ports" that are restricted to root are then just a special case.
