From owner-freebsd-pf@FreeBSD.ORG Wed Feb 1 19:11:21 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33F4216A420 for ; Wed, 1 Feb 2006 19:11:21 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6223843D4C for ; Wed, 1 Feb 2006 19:11:20 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.207.93] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu10) with ESMTP (Nemesis), id 0ML31I-1F4NNv0SWT-0001yD; Wed, 01 Feb 2006 20:11:19 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 1 Feb 2006 20:12:28 +0100 User-Agent: KMail/1.9.1 References: <43DFC05E.5030602@i.cz> In-Reply-To: <43DFC05E.5030602@i.cz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2819626.d8X9xb8gNQ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200602012012.35732.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 19:11:21 -0000 --nextPart2819626.d8X9xb8gNQ Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 31 January 2006 20:54, Eduard Vopicka wrote: > My goal is to use pf to force (via NAT) different IP outgoing addresses > depending on UID and/or GID of the program establishing the connection, f= or > connections originating locally on machine with FreeBSD 5.4. (I do not > expect this to work for setuid/setgid programs.) Did you consider just useing jail(8) to jail the processes to the specific = IP. =20 This should be most performant and also easy to setup (depending on your=20 configuration requirements). If you are concerned with daemons here it's a= =20 matter of perpending "jail / hostname IP" to the startup script, if you are= =20 concerned with real useres it's a bit more complicated, but there are dozen= s=20 of tutorials on the web. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2819626.d8X9xb8gNQ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBD4QgjXyyEoT62BG0RAgAnAJ9JHxeBJVtqPKuylLjEX0zW3SExTQCfesot DSBC2Tuz46knk0D1LnskglQ= =hlE3 -----END PGP SIGNATURE----- --nextPart2819626.d8X9xb8gNQ--