On Fri, Jul 31, 2009 at 08:58:26AM -0300, Marcello Cruz wrote: > Thanks Chris! Thanks everybody! I was not clear, my mistake. I'm sorry.
Please do not top post and if you are not going to respond to specific bits of quoted text, delete the quoted bits of text. Thanks. > > The idea is to allow traffic from a computer on the inside network > to pass the traffic to the outside network (Internet) using some > directory service based on LDAP (Active Directory). I suspect you have not a clue about the layers to networking. Let's go for the simple case of a single user/computer Let's start at the lowest network layer. http://www.geocities.com/billalexander/ethernet.html Do you see any fields in the header that contain user or auth information? Let's go up a layer http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html Do you see any fields in the header that contain user or auth information? Another layer http://en.wikipedia.org/wiki/Transmission_Control_Protocol go down to TCp segment structure Do you see any fields in the header that contain user or auth information? Same layer, different protocol http://en.wikipedia.org/wiki/User_Datagram_Protocol See anything in the headers that looks like user or auth information? Let's go up one more layer http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html look at section 14.8, ah we have credentials. Unfortunately, pf does not process packets this deeply. With the exception of packets initiated from the machine running pf, pf has no idea what user is associated with a given packet. You can have a table of IPs associated with a given set of rules and management of that table by some mechanism that involves LDAP authentication. You can bring associate an IP with a user specific rule set through authpf on the OpenBSD firewall. You can redirect all traffic for a permitted protocol to a proxy server for that protocol. And have that proxy server require certain authorization information. > > Users in the LAN sometimes need to use other PCs than usual or the > PC should be used by lots of users. I should be good if the firewall > rules could be created to allow/deny based on the user of the PC > instead of the IP Address. Note that the PC and the firewall are > distinct computers. For example, certain firewalls integrate the > firewall rules with some kind of LDAP Server the same way as Squid > does (I know Squid is a proxy server). And 'pf' is out of the picture when you reach the data portion of a TCP or UDP packet. You can redirect the traffic to a proxy, but once that's done, it really ceases to be an OpenBSD issue. And if you have a machine that allows more than one user on at once, you'll either have to use whatever packet filtering services are available on it to block on a per user basis, or else ensure that traffic is redirected to proxy servers that require user authentication. If the protocol does not lend itsself to a proxy server that requires user authentication, then you'll have to investigate VPN technologies that restrict access to a specific VPN to the user that started it and doesn't choke at a single IP running multiple VPNs to the same destination. Again, OpenBSD is out of the picture unless this shared use machine is running OpenBSD. > > Maybe it is not a smart idea, and if so, I4d like to know why (if > possible)? Is there another way to do the same without compromising > the security? I thought about authpf, but I'm trying to avoid future > problems regarding security. The two biggest threats to computer security are 1) Users 2) Ignorance Hopefully this email will start to address #2. I suggest a wood chipper for addressing #1. -- Chris Dukes
