Can PF allow access by username/userid?
Max Laier
max at love2party.net
Fri Aug 11 18:30:52 UTC 2006
On Friday 11 August 2006 17:49, Odhiambo Washington wrote:
> In the following article:
>
> http://www.linux.com/article.pl?sid=04/07/01/1833212
>
> ... under the section "Putting it in action", the writer
> describes how they limit access by username with IPTables.
>
> I am wondering if this is achievable with PF. If yes, which section
> of the FAQ should I read?
There is a "user" and "group" keyword that can be used to match user and group
credentials (surprise). Note however, that inspecting socket information
(Layer 4) in pf (Layer 3) is a layering violation. This manifests itself in
a Lock Order Reversal (LOR) which can lead to a deadlock. Thus you need to
set debug.mpsafenet=0 as described in the BUGS section of pf.conf(5).
In general it is better to do "personal firewalling" in the MAC framework.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060811/574ed8f8/attachment.pgp
More information about the freebsd-pf
mailing list