Date: Fri, 11 Aug 2006 20:31:22 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: Can PF allow access by username/userid? Message-ID: <200608112031.33047.max@love2party.net> In-Reply-To: <20060811154941.GC75161@ns2.wananchi.com> References: <20060811154941.GC75161@ns2.wananchi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart12558731.Qgo8T2q5zl Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 11 August 2006 17:49, Odhiambo Washington wrote: > In the following article: > > http://www.linux.com/article.pl?sid=3D04/07/01/1833212 > > ... under the section "Putting it in action", the writer > describes how they limit access by username with IPTables. > > I am wondering if this is achievable with PF. If yes, which section > of the FAQ should I read? There is a "user" and "group" keyword that can be used to match user and gr= oup=20 credentials (surprise). Note however, that inspecting socket information=20 (Layer 4) in pf (Layer 3) is a layering violation. This manifests itself i= n=20 a Lock Order Reversal (LOR) which can lead to a deadlock. Thus you need to= =20 set debug.mpsafenet=3D0 as described in the BUGS section of pf.conf(5). In general it is better to do "personal firewalling" in the MAC framework. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart12558731.Qgo8T2q5zl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE3M0FXyyEoT62BG0RAk1TAJ4pP+7bWq/TtoOffVO7F+UxelnNUACfWiip +8IJBXkDR0KstiaO9tYsB+I= =lNLQ -----END PGP SIGNATURE----- --nextPart12558731.Qgo8T2q5zl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608112031.33047.max>