Date: Fri, 4 May 2007 20:28:53 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: PF and AD Message-ID: <200705042028.59796.max@love2party.net> In-Reply-To: <BAY114-F365394C9F95BA357613A91A5400@phx.gbl> References: <BAY114-F365394C9F95BA357613A91A5400@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart6008933.FOT41IyrSg Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Please don't top post - it reverses the communication flow ] On Friday 04 May 2007, Ricardo Benq wrote: > > Ricardo Benq wrote: > > >Hello. > > >Is it possible to make filter rules that are based on Microsoft > > > Active Directory users? > > >Do I have to install samba/winbind? Are there tutorials? > > > > Short answer: no. > > Longer answer: Not that I can really think off an example where that > > would be of use. Can you provide more details as of your network > > setup and what do you want to achieve? The moon is too cloudy today, > > and so is our spiritual possibilities. > > Ok, Gregory, here it goes: > In our network, all users are AD domain users that have access to > services/networks restricted by AD groups. > We already have a SQUID/Dansguardian that filter internet access for AD > user/groups via ACLs for radio, video, messenger, etc. All Active > Diretory users are authenticated on SQUID , using SAMBA/Winbind. > What we want is to use PF to filter access to, say, DMZ servers and > internet from internal network, based on user names and AD groups. So you are interested to map host-ip to authenticated user on that host,=20 correct? I think you should be able to produce a login script that=20 initiates an ssh connection to authpf, which in turn adds required rules=20 to the firewall. Note that anything that relies on host-ip as a security feature is doomed. = =20 Especially in LANs an IP is easily spoofed. So unless you have a proxy=20 that can do further authentication, you can't be sure you get what you=20 ask for. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6008933.FOT41IyrSg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQBGO3tmXyyEoT62BG0RApjxAJ9PlpuToRCvReb66IZm65vSacbMYQCbBhoF XZfV4VGAhXSmFx09si9eR1o= =r0lL -----END PGP SIGNATURE----- --nextPart6008933.FOT41IyrSg--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705042028.59796.max>