doc

Author: Emmankoko

usr.sbin/npf/npfctl/npf.conf.5

@@ -317,11 +317,33 @@ User processes that fire up sockets for network communications attribute
 user identification values such as user and group ID to these sockets. Incoming
 or outgoing communication with any socket is also assumed to be communicating with
 the user that owns the process that fired the socket.
+.Pp
+Packet filtering by user or group controls data packet flows based on
+the user or group identity of the process that generated the traffic,
+or is waiting to receive traffic, rather than just traditional parameters
+like IP address, port number, and protocol.
+.Pp
+There are many situations where this is useful:
+.Bl -bullet -hang
+.It Finer-grained access control
+One can allow specific destinations to be accessed only by certain users
+or groups.
+.It Application level security
+Two processes are using a specific port, but only one should be allowed to
+access packets originating from a particular host.
+.It Improves isolation in multi-tenant systems
+Prevent an untrusted user from making any network connections
+.It Security hardening and containment
+A user application that has been exploited can be prevented from making
+network connections to a command-and-control server.
+.It Compliance and policy enforcement
+Can restrict access to particular networks to network administrators only.
+.El
 This filtering process can be achieved by passing the user or group ID on the rule.
 .Pp
 .Dl pass out from all user jack group < 1000
 .Pp
-The above rule only allows by sockets of processes owned by user jack
+The above rule only allows sockets of processes owned by user jack
 and belonging to a group with an id value of less than 1000.
 .Pp
 .Dl block in from all user > 100 group wheel