On Sun, Jan 12, 2003 at 06:23:09PM -0500, Steve Winnacott wrote: > Based on group membership, allow or deny certain users access to certain > outgoing services (www, telnet, ftp, ssh, ping, traceroute, etc). Again this > is not IP based, but based on group membership. Everyone can log into any PC > on the LAN. I've seen something like this done in Novell, where based on a > users group context, their access is limited to certain services.
From the ipfw(8) man page: RULE OPTIONS (MATCH PATTERNS) Additional match patterns can be used within rules. Zero or more of these so-called options can be present in a rule, optionally prefixed by the not operand, and possibly grouped into or-blocks. The following match patterns can be used (listed in alphabetical order): [...] gid group Matches all TCP or UDP packets sent by or received for a group. A group may be specified by name or number. which sounds like a way of implementing what you want. Section 10.7 of the handbook covers setting up ipfw(8): http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html. If you need help generating a ruleset for ipfw(8), search the archives of this list for innumerable examples or ask again here. Note that this may not work entirely the way you expect as it's not possible in all cases for the network stack to know what the gid of the local *user* that causes the packets to be generated is, just the sending/receiving process. Another approach is to modify the ownership+permissions of the binaries on the system --- this isn't fool proof by any means. A reasonably quick witted user can just grab their own copy of the binary from some other system, and use that. It will, at least, make your intentions clear. E.g. to limit telnet(1) to a particular group of users, try: # pw group add -n tlntusrs -M john,paul,george,ringo # chgrp tlntusrs /usr/bin/telnet # chmod 750 /usr/bin/telnet Keep a script handy to regenerate the mode and group ownership changes as if you ever do a {build,install}world your modifications will get blown away. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message