Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Aug 2002 09:36:01 -0500
From:      Dan Nelson <dnelson@allantgroup.com>
To:        Derek <derek@durham.net>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Integrated firewall
Message-ID:  <20020815143600.GN2459@dan.emsphone.com>
In-Reply-To: <007701c24466$d5093aa0$04fea8c0@motorcity.on.ca>
References:  <003801c243e4$a672efb0$1101a8c0@mike> <007701c24466$d5093aa0$04fea8c0@motorcity.on.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Aug 15), Derek said:
> I agree entirely with your ISA Server sentiment.
> 
> However, the situation dictates that many users with different
> protocol access needs may use the same computer, or one user could
> use many computers.  I imagine this is a fairly common scenario these
> days.  ipfw has the ability to filter by uid/gid, but I suspect that
> is only from the local machine.  ISA Server has the ability to
> provide filters based on a user's (Active Directory) SID.  I would
> like to be able to provide this (or equivalent) funtionallity using a
> 'real' network OS (FreeBSD of course :).

But how does it do this?  Say I bring a Win95 laptop onto your network
and load up a web page?  Exactly how does ISA determine a "username"
from the TCP SYN packet I send out?  What if that laptop is running
FreeBSD?

My guess is that the ICA machine is also the domain master, and
requires you to have logged into the domain before it will allow
packets from your IP, and then it assumes that any traffic from that IP
is from the same user that logged into it (i.e. have an ICA rule that
says "no traffic from Administrator", log into a machine as Bob, then
start IE as Administrator via runas, and you'll still be able to
browse)

I'm sure you could do something similar on the FreeBSD box, either by
somehow getting the list of active users from your NT domain master, or
installing samba and requiring that a user maps a drive to it before
browsing.  That'll let you easily look up username based on IP.

-- 
	Dan Nelson
	dnelson@allantgroup.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020815143600.GN2459>