On Wed, Jul 29, 2009 at 01:42:44PM -0300, Marcello Cruz wrote: > Dear all, > > Is there a way to use LDAP in a rule to allow or deny based on the user > instead of the IP Address?
Okay, I'm going to be literal here... ypldap to map LDAP to NIS. Configure the box to allow users to be resolved by NIS as well as local files. Use the "user" parameter on the pf rule. There's an example in the pf.conf manpage. > > The idea is to permit the traffic from an inside user to access, for example, > a VoIP resource on the Internet. Of course I have no idea what you mean by "inside user." Your specific question indicates someone that can actually log in on the OpenBSD firewall and run a voip application. Which seems reasonable for me because someone might be foolish enough to want me to run asterisk or a SIP gateway on the firewall. If you mean an IP address associated with a specific user... If the system with the IP associated with the user is high function (IE can run an ssh client in addition to everything else), then you want to look at authpf. If the system with the IP associated with the user is low function (IE a SIP phone), but can negotiate WPA, LEAP, PPPoE, or 802.1X, then you'll want to investigate how to retrieve IP/user associations from your network auth mechanism and generate appropriate tables. If your system is using registered MAC addresses to determine which VLAN a NIC goes into, you'll have to look into extracting that data from your registration system, and then correlate it against ARP data. -- Chris Dukes
