From owner-freebsd-questions Thu Aug 15 7:36:31 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3BFC37B400 for ; Thu, 15 Aug 2002 07:36:28 -0700 (PDT) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2511A43E77 for ; Thu, 15 Aug 2002 07:36:28 -0700 (PDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.12.5/8.12.5) id g7FEa1JZ048373; Thu, 15 Aug 2002 09:36:01 -0500 (CDT) (envelope-from dan) Date: Thu, 15 Aug 2002 09:36:01 -0500 From: Dan Nelson To: Derek Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Integrated firewall Message-ID: <20020815143600.GN2459@dan.emsphone.com> References: <003801c243e4$a672efb0$1101a8c0@mike> <007701c24466$d5093aa0$04fea8c0@motorcity.on.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <007701c24466$d5093aa0$04fea8c0@motorcity.on.ca> X-OS: FreeBSD 5.0-CURRENT X-message-flag: Outlook Error User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In the last episode (Aug 15), Derek said: > I agree entirely with your ISA Server sentiment. > > However, the situation dictates that many users with different > protocol access needs may use the same computer, or one user could > use many computers. I imagine this is a fairly common scenario these > days. ipfw has the ability to filter by uid/gid, but I suspect that > is only from the local machine. ISA Server has the ability to > provide filters based on a user's (Active Directory) SID. I would > like to be able to provide this (or equivalent) funtionallity using a > 'real' network OS (FreeBSD of course :). But how does it do this? Say I bring a Win95 laptop onto your network and load up a web page? Exactly how does ISA determine a "username" from the TCP SYN packet I send out? What if that laptop is running FreeBSD? My guess is that the ICA machine is also the domain master, and requires you to have logged into the domain before it will allow packets from your IP, and then it assumes that any traffic from that IP is from the same user that logged into it (i.e. have an ICA rule that says "no traffic from Administrator", log into a machine as Bob, then start IE as Administrator via runas, and you'll still be able to browse) I'm sure you could do something similar on the FreeBSD box, either by somehow getting the list of active users from your NT domain master, or installing samba and requiring that a user maps a drive to it before browsing. That'll let you easily look up username based on IP. -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message