From: Simon H. <li...@th...> - 2010-12-02 10:33:36
|
Scott Ryan wrote: >I am very interested in this thread - I was not aware that this was >supported (laziness on my behalf, I guess). >Can you give an example of user rule ? How does the user authenticate? >LDAP support for users/groups would be ideal. Extract from 'man shorewall-rules' : > USER/GROUP (Optional) - [!][user-name-or-number] > [:group-name-or-number][+program-name] > This column may only be non-empty if the SOURCE > is the firewall itself. > > When this column is non-empty, the rule applies only > if the program generating the output is running under > the effective user and/or group specified (or is NOT > running under that id if "!" is given). > > Examples: > > joe > program must be run by joe > > :kids > program must be run by a member of the ?kids? group > > !:kids > program must not be run by a member of the ?kids? group > > +upnpd > #program named upnpd > > Important > The ability to specify a program name was removed from > Netfilter in kernel version 2.6.14. As Shai says, this only applies to connections originating from programs running on the firewall itself - this is the ONLY time the Netfilter programs have any concept of "user" in relation to packets being passed. For any other traffic, you would have to use a proxy on the firewall AND arrange that all packets it forwarded were done in a suitable user context. I'm not aware of any proxy that would support that, and to do it in one thread would (I imagine) create an awful lot of context switches as the proxy switched users to send packets - or it would have to spawn a thread for each user and route all packets through the appropriate thread. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. |