View Single Post
  #2   (View Single Post)  
Old 8th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, and welcome!

5.1 is no longer supported. The OpenBSD Project only supports a release for a single year, as there are two releases annually and they only support the most recent two releases, which today are 5.4 and 5.3. Please consider upgrading.

PF operates within the kernel and does not not filter at the application layer, only by IP protocol.
  • It does not "know" about the SSH application, it knows only about the TCP protocol and destination port 22.
  • It does not know about PHP or your Apache webserver. It knows only about the TCP protocol and destination port 80.
However, if PF is running on the same system as an application, the applications may be identified by user or group. Here's the definition for user:
Code:
     user <user>
             This rule only applies to packets of sockets owned by the
             specified user.  For outgoing connections initiated from the
             firewall, this is the user that opened the connection.  For
             incoming connections to the firewall itself, this is the user
             that listens on the destination port....
Note that in most cases, PHP applications communicate through the webserver, so you will not be able to separate PHP communication out through this method. If you are using PHP via a separate application, such as php-fpm (a FastCGI option), you may be able to separate out its functionality this way. That said, I use php-fpm with the nginx(8) webserver, and they both run as user www on my systems.

Edited to add:
--------------

Thinking about the separate PHP process -- even though I use php-fpm for PHP, I would not be able to filter this traffic with PF. All of the protocol headers that PF could inspect are identical for all traffic.

Last edited by jggimi; 8th November 2013 at 02:47 PM.
Reply With Quote