RE: Also, "...new chroot functionally off ssh that is shipping with open 4.3, will help on doing this."
I'll look into this. It's my understanding, flawed asit may be, that (i) sshd runs as root and (ii) there can be one instance only. Do you know if the sshd in 4.3 via chroot affords (i) sshd as a user or group id and (ii) would multiple instances (with different user/group ids) be possible. If these other-then-root user or group ids are filterable in pf it might work. If this is the favorable case, then my problem may be solvable by running two sshd instances -- one for the outside to inside sessions and an other handling the (inside) wifi sessions, each with the pf rules peculiar to the desired traffic flows. Or am I doing the exotic "zebra" instead of plain "horse" thing? Thx. -----Original Message----- From: Giancarlo Razzolini <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: pf tag goes missing post sshd tcp decapsulization Date: Mon, 03 Mar 2008 13:02:02 -0300 Mailer: Thunderbird 1.5.0.14pre (X11/20071023) Delivered-To: [EMAIL PROTECTED] Henning Brauer escreveu: > * Giancarlo Razzolini <[EMAIL PROTECTED]> [2008-03-03 14:35]: >> Tags are only visible while in the kernel. Once you send them to a >> application, unless it has the ability to set a tag, the tag will be >> lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on >> the packet. It would be nice if more userland applications like sshd, >> spamd, hoststated, etc, could set tags too. > > actually, it is not ftp-proxy that sets tags. ftp-proxy dynamically > inserts rules and makes THEM tag the packets. that concept doesn't > translate all that well to the other usage cases you mention. > And, as the packets passes by the rules that ftp-proxy inserted, they can be filtered on using the tag inserted with ftp-proxy. But it would be really nice to have other applications being able to "see" tags and set them too in the packets passing through them. But i don't see it much as a limitation. I do use the user keyword or other means to filter based on the application. Also, a very good thing is the ability to use the authpf. I also think that the new chroot functionally off ssh that is shipping with open 4.3, will help on doing this. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
