block quick on urndis0
pass on urndis0 proto {tcp, udp} user 0
应该可以解决问题。来自pf.conf的手册页:
user user
This rule only applies to packets of sockets owned by the
specified user. For outgoing connections initiated from the
firewall, this is the user that opened the connection. For
incoming connections to the firewall itself, this is the user
that listens on the destination port.
When listening sockets are bound to the wildcard address, pf(4)
cannot determine if a connection is destined for the firewall
itself. To avoid false matches on just the destination port,
combine a user rule with source or destination address self.
All packets, both outgoing and incoming, of one connection are
associated with the same user and group. Only TCP and UDP
packets can be associated with users.
The user and group arguments refer to the effective (as opposed
to the real) IDs, in case the socket is created by a
setuid/setgid process. User and group IDs are stored when a
socket is created; when a process creates a listening socket as
root (for instance, by binding to a privileged port) and
subsequently changes to another user ID (to drop privileges), the
credentials will remain root.
User and group IDs can be specified as either numbers or names.
The syntax is similar to the one for ports. The following
example allows only selected users to open outgoing connections:
block out proto tcp all
pass out proto tcp from self user { < 1000, dhartmei }
The example below permits users with uid between 1000 and 1500 to
open connections:
block out proto tcp all
pass out proto tcp from self user { 999 >< 1501 }
The ‘:’ operator, which works for port number matching, does not
work for user and group match.
未经测试,但是
应该可以解决问题。来自
pf.conf的手册页: