On Wed, 22 May 2002 17:28:37 -0700 "Crist J. Clark" <[EMAIL PROTECTED]> wrote:
> On Mon, May 20, 2002 at 07:39:36PM +0200, John Angelmo wrote: > > Hello > > > > I have a small problem with IPFW > > > > How can I handle adding and removing rules based on IP/MAC per user? > > Per user? You mean with 'uid' options? Sorry, bad explenation from my side, in this case, for a user to get routing outside the server he/she needs to login via a webform, after that well then he/she can do what he/she wants to. I wonder if I can map that userlogin (in an mysql/pgsql db) to IPFW in some way so I can add/remove rules in an easy way based on userlogin? Just a shot in the dark :) > > > I can add a rule for a specific IP/MAC without the need to flush but can > > I remove it in the same way? > > It kind of sounds like you want to use 'keep-state' rules? But I'm > confused about the "user" stuff. > > > now lets say I have a user that only needs access to it's mailserver > > mail.user.com with pop3 and smtp > > then the rule for pop3 would be something like > > add allow ip from mail.user.com 110 to IP/HOST (MAC dosn't work here right?) > > Well, support for MAC addresses in ipfw(8) only exists in -CURRENT > right now. But I think you want, > > add pass tcp from me to mail.user.com 25,110 keep-state Well for 4.5 this seems to exist: http://www.bsdshell.net > > Which will pass the return traffic. > > > Now mail.user.com uses runrobin so the IP changes from request to > > request but dosn't the IPFW resolve the IP when its added to the rules, > > how can this be solved for the user? > > You can load all of the IP addresses at start-up? There really is no > way to deal with this within ipfw(8) itself. Rules for hostnames whose > IP address changes is not a problem that can really be efficiently > solved in a general way. the problem is that the person configuring the firewall for the user can't possibly know about this problem unless the user states it. well one way would be to hack a bit in ipfw so that the hostname isn't looked up when the rule is added but every time the user uses it, but thi would take to much cpu time for IPFW I think /John
msg06080/pgp00000.pgp
Description: PGP signature
