Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 4 Apr 1999 01:56:43 -0500 (EST)
From:      Brian Feldman <green@unixhelp.org>
To:        Kevin Day <toasty@home.dragondata.com>
Cc:        hackers@FreeBSD.ORG
Subject:   Re: ipfw uid
Message-ID:  <Pine.BSF.4.05.9904040150010.17120-100000@janus.syracuse.net>
In-Reply-To: <199904040617.AAA19930@home.dragondata.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 4 Apr 1999, Kevin Day wrote:

> >   Is anyone interested in trying out my addition of per-uid firewalling
> > capabilities to ipfw?  I just did them today, but they seem to work fine.
> > For instance, logging/accounting purpouses:
> > 
> > {"/usr/src/sbin/ipfw"}# ipfw show
> > 00050  8157 2864127 count ip from any to any uid 1000 in
> > 00060  8952 1834453 count ip from any to any uid 1000 out
> > 
> >   Just let me know if you'd like it!
> > 
> 
> If I'm understanding this correctly, could this be used to prevent all but
> one or two users from using a certain IP? (Yes, i realize they could still
> try to bind to it, but it wouldn't do them any good).
> 
> I was thinking about doing some kind of file per IP in /proc, that could be
> chmod'ed to allow/disallow users from doing things with, but this sounds
> much more elegant. :)

Certainly, that's one use for this!  I must clarify that previously I had
my uid test in the wrong place in ip_fw.c, so now output looks more like:

{"/home/green"}# ipfw show
00040    2     100 count ip from any to any uid 1000 in
00050 3310  479624 count ip from any to any uid 1000 out

  The only problem is that incoming packets aren't counted yet, as I haven't
figured out the best solution for that. I hope others have ideas so I
don't have to wrack my brain too much! The current code can be found at
http://janus.syracuse.net/~green/ipfw_uid.patch. Anyone who wants to help
with getting incoming packets working with uids, I welcome! Of course,
outgoing packet uid firewalling is much more useful in the first place, as it
can prevent access to whatever you specify, or track data sent, etc.

> 
> Kevin
> 

 Brian Feldman                _ __ ___ ____  ___ ___ ___  
 green@unixhelp.org                _ __ ___ | _ ) __|   \ 
     FreeBSD: The Power to Serve!      _ __ | _ \__ \ |) |
         http://www.freebsd.org           _ |___/___/___/ 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9904040150010.17120-100000>