30.07.09, 13:55, "Marcello Cruz" <marcello.c...@globo.com>:
> Dear all,
> Is there a way to use LDAP in a rule to allow or deny based on the user
> instead of the IP Address?
> The idea is to permit the traffic from an inside user to access, for example,
> a VoIP resource on the Internet.
Based on user...
I use for this PPPoE server with list of usernames/passwords/IP addresses.
Users connect with their usernames to PPPoE server, and PF controls traffic
from
PPPoE IP addresses.
You can write script to synchronize users in LDAP and /etc/ppp/ppp.secret file.
Example: allow access for "user1" to web sites, and for "user2" to mail servers
/etc/ppp/ppp.secret
user1 pass1 192.168.100.1
user2 pass2 192.168.100.2
..
/etc/pf.conf:
table <squid-pppoe> file "/etc/pftables/int-web-pppoe"
table <mail-pppoe> file "/etc/pftables/int-mail-pppoe"
pass in log quick on tun inet proto tcp from <mail-pppoe> to any port = pop3
pass in log quick on tun inet proto tcp from <mail-pppoe> to any port = smtp
pass in log quick on $pppoe_if_grp inet proto tcp from <web-pppoe> to any port
{ www, https }
..
/etc/pftables/int-web-pppoe
192.168.100.1
..
/etc/pftables/int-mail-pppoe
192.168.100.2
..
