Distributed identity-based firewalls

What is claimed is: 1 - 25 . (canceled) 26 . For a machine executing on a host computer, a method for providing firewall services on the host computer, the method comprising: for a network connection, receiving a record associating a set of header values of packets sent from the machine with an identifier associated with a process associated with the network connection; associating a packet received from the machine with the identifier by comparing the packet's set of header values with the set of header values of the record; using the identifier to identify a firewall rule from a plurality of firewall rules that have rule identifiers defined by reference to a plurality of identifiers; performing a firewall operation on the received packet based on the identified firewall rule. 27 . The method of claim 26 , wherein performing the firewall operation comprises forwarding the received packet when the identified firewall rule specifies that the packet should be allowed to pass through. 28 . The method of claim 27 , wherein forwarding the received packet comprises forwarding the packet to a virtual switch executing on the host computer for distribution to a destination of the packet. 29 . The method of claim 26 , wherein performing the firewall operation comprises dropping the received packet when the identified firewall rule specifies that the packet should be blocked. 30 . The method of claim 26 , wherein performing the firewall operation comprises redirecting the received packet to a different destination according to the identified firewall rule. 31 . The method of claim 26 , wherein the identifier is a security identifier (SID) of a user associated with the process. 32 . The method of claim 26 , wherein the identifier identifies a user logged onto the machine on which the process executes. 33 . The method of claim 26 , wherein the identifier comprises a username or a group identifier that identifies a user group to which the user belongs. 34 . The method of claim 26 further comprising storing the record that associates the identifier with the set of header values before associating the packet with the identifier. 35 . The method of claim 34 , wherein the set of header values are associated with the network connection, and comprise an Internet Protocol (IP) address and one or more port numbers assigned to the network connection. 36 . The method of claim 34 further comprising configuring a guest driver module executing on the machine to perform the operation of the identified firewall rule for subsequent packets that belong to a same flow as the received packet. 37 . A non-transitory machine readable medium storing a program for execution by at least one processing unit, the program for providing firewall services for a virtual machine executing on a host computer, the program comprising sets of instructions for: for a network connection, receiving a record associating a set of header values of packets sent from the machine with an identifier associated with a process associated with the network connection; associating a packet received from the machine with the identifier by comparing the packet's set of header values with the set of header values of the record; using the identifier to identify a firewall rule from a plurality of firewall rules that have rule identifiers defined by reference to a plurality of identifiers; performing a firewall operation on the received packet based on the identified firewall rule. 38 . The non-transitory machine readable medium of claim 37 , wherein the set of instructions for performing the firewall operation comprises a set of instructions for forwarding the received packet when the identified firewall rule specifies that the packet should be allowed to pass through. 39 . The non-transitory machine readable medium of claim 38 , wherein the set of instructions for forwarding the received packet comprises a set of instructions for forwarding the packet to a virtual switch executing on the host computer for distribution to a destination of the packet. 40 . The non-transitory machine readable medium of claim 37 , wherein the set of instructions for performing the firewall operation comprises a set of instructions for dropping the received packet when the identified firewall rule specifies that the packet should be blocked. 41 . The non-transitory machine readable medium of claim 37 , wherein the set of instructions for performing the firewall operation comprises a set of instructions for redirecting the received packet to a different destination according to the identified firewall rule. 42 . The non-transitory machine readable medium of claim 37 , wherein the identifier is a security identifier (SID) of a user associated with the process. 43 . The non-transitory machine readable medium of claim 37 , wherein the identifier identifies a user logged onto the machine on which the process executes. 44 . The non-transitory machine readable medium of claim 37 , wherein the identifier comprises a username or a group identifier that identifies a user group to which the user belongs.