Contributed by Dengue on from the cool-stuff dept.
"dhartmei@ has introduced uid and gid based pf access control in -current. this is done by examining the socket credentials of a request. so now you can say "only people in the group net can ssh out".Here's part of the cvs logs from pfvar.h:
---------------------------- revision 1.72 date: 2002/05/12 00:54:56; author: dhartmei; state: Exp; lines: +10 -4 Add gid based filtering, reduce to one (effective) uid, rename parser keywords to 'user' and 'group'. ---------------------------- revision 1.70 date: 2002/05/09 19:58:42; author: dhartmei; state: Exp; lines: +11 -1 Introduce user based filtering. Rules can specify ruid and euid (real and effective user ID) much like ports. The user of a packet is either the user that opens an outgoing connection, the one that listens on a socket, or 'unknown' if the firewall is not a connection endpoint (for forwarded connections). Socket uid lookup code from jwk@bug.it. ----------------------------some pretty cool stuff is being done with pf!"
(Comments are closed)
By Anonymous Coward () on
Comments
By kappa () on
Comments
By RC () on
Comments
By Anonymous Coward () on
Where Microsoft firewalls have been able to kill un*x ones is you can configure them to allow services based on DOMAINUsername.
When your fileservers is NT4/2K or ever samba and
users login to the domain, being able to control
who goes through the firewall by DOMAINUsername
has obvious benefits to administration staff.
This uid/gid stuff in pf is nothing like that
and is not even the right vehicle for implementing
it either.
By cilix () tim-deadly@nicholas.net.nz on http://tim.nicholas.net.nz/
Though I have never used it, I beleive that linux has a similer feature in iptables.
From the man page (iptables(8))... owner
This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.
So it doesn't look like it is quite as versitile as the new pf stuff (which from the sounds of it can do incomming connections as well) but has some of the same functionality. Tim
By Jorgen Maas () jorgen@overload.org on http://www.overload.org
quite sometime now, but oly for local connections.
include
Comments
By Jorgen Maas () jorgen@overload.org on http://www.overload.org
i tried to include some text in "" brackets
option Plain Text was indeed selected..
ahwell what the heck :)
By Ben () ben@robson.ph on mailto:ben@robson.ph
As much as many ppl hate MS, thus is the world we live in. If PF was able to take rules like:
pass blah...blah...blah... auth=NTDomain,ServerIP,Group,Uname...
Then PF would be VERY attractive to NT administrators everywhere, as they can start managing their firewall policies in terms of users/groups(usernames/groupnames), and not workstations/networks(IP addresses).
(And b4 anyone says so, I know this will be hard, and I know thats not how you would specify an NT-Domain controlled. I am not an NT person) ;-)
Comments
By Anonymous Coward () on
Comments
By Ben () on
This means the only way authpf could do this would be to have a login script on the Windows workstation that creates an SSH session with the firewall. I have 2 major problems with this, 1. Its ugly as hell, 2. I don't want ANYBODY creating SSH sessions, of any type, with my firewall.
By Dan () on
By Someone () on
The problem here is that NT doesn't provide any way for a remote machine to ask for the ownership of a socket. So before anything like this could be supported, you would have to code a service for NT that could answer these requests.
By Roo () on
Cheers,
Roo