> -----Original Message-----
> From: Johannes Kloos [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 29 September 2000 5:52 AM
> To: [EMAIL PROTECTED]
> Subject: Re: User level packet filtering
>
>
> On Thu, Sep 28, 2000 at 11:33:30PM +0500, Abdul Basit wrote:
> > Hey
> > Is it possible to do user based packet filtering in *nix ?
> > say i need to allow telnet access to all but i want to block port
> > 80(outbound) to some users
> > while allowing others ?
> >
> > something like packet filter checks first checks uid and
> then apply the
> > exiting rule ?
>
> netfilter (aka iptables) on linux includes "owner matching",
> so you may say:
>
> iptables -A output -p tcp --dport 80 --uid-owner luser -j REJECT
And is there a way to match arbitrary streams from the internal network to a
given uid?
As far as I can tell the uid matching only works for users actually working
on the firewall.
The payware solution I've seen that looks best is based on putting users in
certain VLANs based on their login.l The firewall can then just work out
access-control based on IP address. That's good as far as it goes, but
involves some heavy investment in switches and access servers.
Cisco support a thing called "lock and key" which supports users "unlocking"
access lists for their IP address by telneting to the access device and
authenticating. This is pretty brittle, though - it works on a time base
from there, so when the legit user walks away someone can quickly log in and
get elevated privilege.
Could we use IPSec - even with NULL encryption - to act as a de facto
circuit-level gateway? The IPSec SA would provide auth and integrity on a
per-user basis. If no encryption is required, which is likely in most LANs,
you wouldn't need a very beefy gateway to do the crypto for a fast ethernet
segment - especially with crypto offload NICS so cheap.
Of course this would mean that every user would need an IPSec client on
their desktop, but with Windoze carrying the flag and *nix only a quick
compile away this shouldn't be _too_ hard.
I know I'm kind of re-inventing the wheel - this is supposed to be what
SOCKS is for, right? But SOCKS doesn't look like it will ever be standard
issue on every desktop, and IPSec can easily be modified to use encryption
if your security model requires it.
Have I gone crazy again?
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
