From owner-freebsd-questions Thu Aug 15 7:54:45 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18DE937B400 for ; Thu, 15 Aug 2002 07:54:42 -0700 (PDT) Received: from mail.seattleFenix.net (seattleFenix.net [216.39.145.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3D4F43E6E for ; Thu, 15 Aug 2002 07:54:40 -0700 (PDT) (envelope-from roo@mail.seattleFenix.net) Received: (from roo@localhost) by mail.seattleFenix.net (8.11.6/8.11.6) id g7FErRq04816; Thu, 15 Aug 2002 07:53:27 -0700 (PDT) (envelope-from roo) Date: Thu, 15 Aug 2002 07:53:27 -0700 From: Benjamin Krueger To: Dan Nelson Cc: Derek , freebsd-questions@FreeBSD.ORG Subject: Re: Integrated firewall Message-ID: <20020815075327.D3109@mail.seattleFenix.net> References: <003801c243e4$a672efb0$1101a8c0@mike> <007701c24466$d5093aa0$04fea8c0@motorcity.on.ca> <20020815143600.GN2459@dan.emsphone.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020815143600.GN2459@dan.emsphone.com>; from dnelson@allantgroup.com on Thu, Aug 15, 2002 at 09:36:01AM -0500 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG * Dan Nelson (dnelson@allantgroup.com) [020815 07:36]: > In the last episode (Aug 15), Derek said: > > I agree entirely with your ISA Server sentiment. > > > > However, the situation dictates that many users with different > > protocol access needs may use the same computer, or one user could > > use many computers. I imagine this is a fairly common scenario these > > days. ipfw has the ability to filter by uid/gid, but I suspect that > > is only from the local machine. ISA Server has the ability to > > provide filters based on a user's (Active Directory) SID. I would > > like to be able to provide this (or equivalent) funtionallity using a > > 'real' network OS (FreeBSD of course :). > > But how does it do this? Say I bring a Win95 laptop onto your network > and load up a web page? Exactly how does ISA determine a "username" > from the TCP SYN packet I send out? What if that laptop is running > FreeBSD? > > My guess is that the ICA machine is also the domain master, and > requires you to have logged into the domain before it will allow > packets from your IP, and then it assumes that any traffic from that IP > is from the same user that logged into it (i.e. have an ICA rule that > says "no traffic from Administrator", log into a machine as Bob, then > start IE as Administrator via runas, and you'll still be able to > browse) > > I'm sure you could do something similar on the FreeBSD box, either by > somehow getting the list of active users from your NT domain master, or > installing samba and requiring that a user maps a drive to it before > browsing. That'll let you easily look up username based on IP. > > -- > Dan Nelson > dnelson@allantgroup.com If I were to approach this, I would probably do it with a PAM module. You might keep a user to proto_privs map in a file which could then be looked up after a successful login, and used to alter the current local ipf(w) ruleset. kim:ftp,ssh,smtp,pop3,dns,identd,http,https joe:smtp,pop3,dns,http,https That would be a simplistic mapping, but it illustrates the point. The downside is that this assumes 1 user session per machine. I don't see how you can readily restrict 2 users with different privilege levels who are logged on to the same machine without really screwing with system internals. =) -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message