From owner-freebsd-questions  Wed Jun 14  9:54:36 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from hindenburg.eboai.org (hindenburg.eboai.org [205.181.254.190])
	by hub.freebsd.org (Postfix) with ESMTP id D0FEE37C2C3
	for <freebsd-questions@freebsd.org>; Wed, 14 Jun 2000 09:54:33 -0700 (PDT)
	(envelope-from chip@chocobo.cx)
Received: by hindenburg.eboai.org (Postfix, from userid 1000)
	id 2EA9F3D67; Wed, 14 Jun 2000 12:54:23 -0400 (EDT)
Date: Wed, 14 Jun 2000 12:54:23 -0400
From: Chip Marshall <chip@setzer.chocobo.cx>
To: James Howard <howardjp@wam.umd.edu>
Cc: freebsd-questions@freebsd.org
Subject: Re: Limiting Internet Access
Message-ID: <20000614125423.A32693@setzer.chocobo.cx>
Reply-To: chip@chocobo.cx
References: <200006141649.MAA01241@rac4.wam.umd.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.1.4i
In-Reply-To: <200006141649.MAA01241@rac4.wam.umd.edu>; from howardjp@wam.umd.edu on Wed, Jun 14, 2000 at 12:49:29PM -0400
X-URL: http://www.chocobo.cx/chip/
X-OS: FreeBSD 3.4-RELEASE i386
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On June 14, 2000, James Howard sent me the following:
> Hey everyone.  We are currnetly moving our BBS (www.arbornet.org) from
> BSD/OS to FreeBSD.  One of the limits we placed on users was that they
> were not allowed to send outbound Internet traffic (ie, they could not
> telnet out from our system, etc).  
> 
> Under BSD/OS (3.0) the kernel had been patched and checked for a
> hard-coded list of groups (paying users had access, special binaries like
> finger too).  But I have heard that under FreeBSD, limiting like this is
> is run-time configurable.  How does this work?

I think the easiest way to do that would be to setup IPFW to deny
outboard traffic from certain groups, ie:

deny ip from any to any gid nonpay

where nonpay is the name of the group for people who don't pay for
Internet access. I know that this does not affect people logging in to
a system remotely via SSH, but I'm not sure how it affects remote
access via rsh or telnet.

-- 
Chip Marshall <chip@chocobo.cx> http://www.chocobo.cx/chip/ Finger for PGP
GCM/CS d+(-) s+:++ a18>? C++ UB++++$ P+++$ L- E--- W++ N+@ o K- w O M+ V--
PS PE Y? PGP++ t+@ 5 X R>+ tv+() b++>+++ DI++++ D(-) G++ e>++ h!>++ r-- y-


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message