|
|||
PF only firefox traffic ?
Hey,
Many people ask my is there any way to pass only traffic from firefox to internet ? I don't mean all port 80 and 443 i mean only software like firefox. Does PF has that option ? |
|
|||
For example: i want to pass traffic only from firefox to the internet, that's all.
|
|
||||
The answer, then, is "no". PF will not differentiate between a packet created by different applications. It cannot tell the difference between two different browsers reaching out to the same webserver, as it only addresses Layer 3 information.
I edited my response above to include mention of relayd, which can act as a transparent proxy and block or pass based on content within HTTP/HTTPS packets, but it too is inspecting only packets and does not differentiate between source processes. Browsers do self-identify, using User Agent strings, but these can be easily changed and to my knowledge relayd does not inspect these. The most popular proxy is probably Squid, which is available as a package for this OS. I don't use it. A brief look at its documentation states that it is able to log user agent strings, though I could not find anything stating it is able to filter based upon them. |
|
|||
There is workaround - assign Firefox to unique user or group, and pf allows filtering by users or groups.
|
|
|||
Indeed credit goes to jggimi, I just tried to explain simpler.
I'm happy to be part of this great community. |
|
|||
Last edited by gso; 5th November 2014 at 04:51 AM. |
|
||||
new user:group -> firefox:firefox
userid firefox -> /usr/local/bin/firefox pf firefox -> internet I tried it, setup a ufirefox user, add a password (required), copied my .mozilla and .cache files to /home/ufirefox, su into ufirefox and I get "can't display on :0.0" so I run xhost +ufirefox and still no bones. I run xhost + for permission for all local users to connect to X and it runs - until it freezes. Last edited by vanGrimoire; 6th November 2014 at 01:57 AM. |
|
||||
No. See pf.conf(5). You can eliminate your PF configuration as the problem source only by testing the configuration by logging block (or pass) actions, and then checking logs with tcpdump(8) against pflog(4) or /var/log/pflog.
If you want to determine if your cross-user configuration is a problem source, try logging in and running X as that user, and see if the behaviour changes. |
|
||||
Thanks, it was a permissions issue after trying to copy my config files into the ufirefox home directory. I wiped those out and it came right up.
I've added the following to my .xsession file. Code:
xhost + Code:
alias firefox='ulimit -d 1048576; firefox' Code:
userinfo ufirefox login ufirefox .. groups ufirefox class staff gecos ufirefox dir /home/ufirefox shell /bin/ksh |
|
||||
Well the next step is actually easier, though more time consuming, than I thought it would be. You'll compile, run, and configure systrace for the ufirefox user.
http://www.informit.com/articles/article.aspx?p=363731 finally, man pf.conf Code:
block out proto tcp all pass out proto tcp from self user { < 1000, dhartmei } |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Traffic between two vpn networks | bertj | FreeBSD Security | 4 | 31st January 2013 02:44 PM |
multiplexing traffic | schmurfy | OpenBSD General | 6 | 26th March 2012 12:46 PM |
PF Traffic Shaping question. | MarcRiv | OpenBSD Security | 6 | 28th October 2009 07:22 PM |
PF Blocking VPN Traffic | plexter | OpenBSD Security | 6 | 23rd January 2009 05:25 PM |
Upgrading firefox to firefox 3 -keeping plugins+bookmarks | kasse | FreeBSD Ports and Packages | 11 | 5th July 2008 01:34 PM |