OpenBSD Journal

User level access control with pf

Contributed by Dengue on from the cool-stuff dept.

jose nazario writes :
"dhartmei@ has introduced uid and gid based pf access control in -current. this is done by examining the socket credentials of a request. so now you can say "only people in the group net can ssh out".

Here's part of the cvs logs from pfvar.h:

----------------------------
revision 1.72
date: 2002/05/12 00:54:56;  author: dhartmei;  state: Exp;  lines: +10 -4
Add gid based filtering, reduce to one (effective) uid, rename parser
keywords to 'user' and 'group'.
----------------------------
revision 1.70
date: 2002/05/09 19:58:42;  author: dhartmei;  state: Exp;  lines: +11 -1
Introduce user based filtering. Rules can specify ruid and euid (real and
effective user ID) much like ports. The user of a packet is either the
user that opens an outgoing connection, the one that listens on a socket,
or 'unknown' if the firewall is not a connection endpoint (for forwarded
connections). Socket uid lookup code from jwk@bug.it.
----------------------------
some pretty cool stuff is being done with pf!"

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    Do any other platforms offer anything like this?

    Comments
    1. By kappa () on

      Microsoft Proxy Server has had this for a very long time. In fact, it was the killer feature which led to many un*x proxy servers dumped.

      Comments
      1. By RC () on

        There is a big difference though. PF is not a proxy server. The fact that it's gaining the advantages of a high-level proxy server, with the advantages of a real firewall are quite impressive.

        Comments
        1. By Anonymous Coward () on

          I think you misunderstand what the other person wrote.

          Where Microsoft firewalls have been able to kill un*x ones is you can configure them to allow services based on DOMAINUsername.

          When your fileservers is NT4/2K or ever samba and
          users login to the domain, being able to control
          who goes through the firewall by DOMAINUsername
          has obvious benefits to administration staff.

          This uid/gid stuff in pf is nothing like that
          and is not even the right vehicle for implementing
          it either.

    2. By cilix () tim-deadly@nicholas.net.nz on http://tim.nicholas.net.nz/

      Though I have never used it, I beleive that linux has a similer feature in iptables.
      From the man page (iptables(8))... owner

      This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.

      So it doesn't look like it is quite as versitile as the new pf stuff (which from the sounds of it can do incomming connections as well) but has some of the same functionality. Tim

    3. By Jorgen Maas () jorgen@overload.org on http://www.overload.org

      IPFW in FreeBSD does indeed support this for
      quite sometime now, but oly for local connections.

      include

      Comments
      1. By Jorgen Maas () jorgen@overload.org on http://www.overload.org

        hmmz? bug in phpslash?

        i tried to include some text in "" brackets
        option Plain Text was indeed selected..

        ahwell what the heck :)

  2. By Ben () ben@robson.ph on mailto:ben@robson.ph

    I think the real killer-app' in this space will be if it can be made to interact with external authentication services. Things like an LDAP server, or an NT Domain controller.
    As much as many ppl hate MS, thus is the world we live in. If PF was able to take rules like:
    pass blah...blah...blah... auth=NTDomain,ServerIP,Group,Uname...
    Then PF would be VERY attractive to NT administrators everywhere, as they can start managing their firewall policies in terms of users/groups(usernames/groupnames), and not workstations/networks(IP addresses).
    (And b4 anyone says so, I know this will be hard, and I know thats not how you would specify an NT-Domain controlled. I am not an NT person) ;-)

    Comments
    1. By Anonymous Coward () on

      Wouldn't you be able to this already with authpf? When people authenticate with a server that server could tell the firewall to open up the necessary ports using authpf?

      Comments
      1. By Ben () on

        No, as I understood it authpf only looks at ppl logged in to the "firewall" using SSH.
        This means the only way authpf could do this would be to have a login script on the Windows workstation that creates an SSH session with the firewall. I have 2 major problems with this, 1. Its ugly as hell, 2. I don't want ANYBODY creating SSH sessions, of any type, with my firewall.

    2. By Dan () on

      It can be great solution for many administrators!

    3. By Someone () on

      The problem here is that you would have to know the creator of the socket that the firewall is letting through. Thus pf needs to know the owner of the socket before the connection gets added to the state table.

      The problem here is that NT doesn't provide any way for a remote machine to ask for the ownership of a socket. So before anything like this could be supported, you would have to code a service for NT that could answer these requests.

  3. By Roo () on

    My prayers have been answered... That is the coolest thing I've seen, and *FAR* neater than the add/remove rule thing that was added. Seems a lot safer to me as well.

    Cheers,
    Roo

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]