On Mon, Apr 23, 2007 at 12:20:16PM +0200, Daniel Hartmeier wrote: > On Fri, Apr 20, 2007 at 04:05:01PM -0700, Kilian CAVALOTTI wrote: > > > Wouldn't it be legitimate to consider NATed machines as well, and identify > > connections with the couple (user_ip, user_id) rather than with the only > > user_ip? > > How would you tell, from the outside of the NAT, what user_id > establishes what connection? It's not like the TCP/IP header contains a > field with that information... > > Daniel
Hello, Of course the TPC/IP headers contain no field for such information, but one could argue that it's still doable, ala NuFW [1] with netfilter on linux. On the other hand, fine grained filtering for users behind NAT can also be achieved with the use of VPN, either IPsec or SSL. I would rather use the second option for such cases (client to gateway VPN, and filtering based on the address within the VPN). regards, -- [1] http://www.nufw.org/-English-.html -- Jérôme Magnin - jethro
