Date: Thu, 15 Aug 2002 07:53:27 -0700 From: Benjamin Krueger <benjamin@seattleFenix.net> To: Dan Nelson <dnelson@allantgroup.com> Cc: Derek <derek@durham.net>, freebsd-questions@FreeBSD.ORG Subject: Re: Integrated firewall Message-ID: <20020815075327.D3109@mail.seattleFenix.net> In-Reply-To: <20020815143600.GN2459@dan.emsphone.com>; from dnelson@allantgroup.com on Thu, Aug 15, 2002 at 09:36:01AM -0500 References: <003801c243e4$a672efb0$1101a8c0@mike> <007701c24466$d5093aa0$04fea8c0@motorcity.on.ca> <20020815143600.GN2459@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Dan Nelson (dnelson@allantgroup.com) [020815 07:36]: > In the last episode (Aug 15), Derek said: > > I agree entirely with your ISA Server sentiment. > > > > However, the situation dictates that many users with different > > protocol access needs may use the same computer, or one user could > > use many computers. I imagine this is a fairly common scenario these > > days. ipfw has the ability to filter by uid/gid, but I suspect that > > is only from the local machine. ISA Server has the ability to > > provide filters based on a user's (Active Directory) SID. I would > > like to be able to provide this (or equivalent) funtionallity using a > > 'real' network OS (FreeBSD of course :). > > But how does it do this? Say I bring a Win95 laptop onto your network > and load up a web page? Exactly how does ISA determine a "username" > from the TCP SYN packet I send out? What if that laptop is running > FreeBSD? > > My guess is that the ICA machine is also the domain master, and > requires you to have logged into the domain before it will allow > packets from your IP, and then it assumes that any traffic from that IP > is from the same user that logged into it (i.e. have an ICA rule that > says "no traffic from Administrator", log into a machine as Bob, then > start IE as Administrator via runas, and you'll still be able to > browse) > > I'm sure you could do something similar on the FreeBSD box, either by > somehow getting the list of active users from your NT domain master, or > installing samba and requiring that a user maps a drive to it before > browsing. That'll let you easily look up username based on IP. > > -- > Dan Nelson > dnelson@allantgroup.com If I were to approach this, I would probably do it with a PAM module. You might keep a user to proto_privs map in a file which could then be looked up after a successful login, and used to alter the current local ipf(w) ruleset. kim:ftp,ssh,smtp,pop3,dns,identd,http,https joe:smtp,pop3,dns,http,https That would be a simplistic mapping, but it illustrates the point. The downside is that this assumes 1 user session per machine. I don't see how you can readily restrict 2 users with different privilege levels who are logged on to the same machine without really screwing with system internals. =) -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020815075327.D3109>