From owner-freebsd-net  Thu May 23  0: 9:33 2002
Delivered-To: freebsd-net@freebsd.org
Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62])
	by hub.freebsd.org (Postfix) with ESMTP id C452037B408
	for <net@FreeBSD.ORG>; Thu, 23 May 2002 00:09:28 -0700 (PDT)
Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020523070927.NATD11183.sccrmhc02.attbi.com@blossom.cjclark.org>;
          Thu, 23 May 2002 07:09:27 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g4N79Ph26155;
	Thu, 23 May 2002 00:09:25 -0700 (PDT)
	(envelope-from crist.clark@attbi.com)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Thu, 23 May 2002 00:09:24 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: John Angelmo <john@veidit.net>
Cc: net@FreeBSD.ORG
Subject: Re: "dynamic" ipfw
Message-ID: <20020523000924.A9562@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <3CE934D8.9010302@veidit.net> <20020522172837.A8894@blossom.cjclark.org> <20020523025116.41a796b6.john@veidit.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20020523025116.41a796b6.john@veidit.net>; from john@veidit.net on Thu, May 23, 2002 at 02:51:16AM +0200
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Thu, May 23, 2002 at 02:51:16AM +0200, John Angelmo wrote:
> On Wed, 22 May 2002 17:28:37 -0700
> "Crist J. Clark" <crist.clark@attbi.com> wrote:
> 
> > On Mon, May 20, 2002 at 07:39:36PM +0200, John Angelmo wrote:
> > > Hello
> > > 
> > > I have a small problem with IPFW
> > > 
> > > How can I handle adding and removing rules based on IP/MAC per user?
> > 
> > Per user? You mean with 'uid' options?
> 
> Sorry, bad explenation from my side, in this case, for a user to get routing outside the server he/she needs to login via a webform, after that well then he/she can do what he/she wants to.
> I wonder if I can map that userlogin (in an mysql/pgsql db) to IPFW in some way so I can add/remove rules in an easy way based on userlogin? Just a shot in the dark :)

You can do whatever you want. Obviously, something like this sounds
like you will need to roll your own code/scripts. I know FreeBSD
doesn't include anything like this and doubt there are existing
packages. That said, I still don't really understand what that
means. Users "get routing outside the server" by using a webform?

> > > I can add a rule for a specific IP/MAC without the need to flush but can 
> > > I remove it in the same way?
> > 
> > It kind of sounds like you want to use 'keep-state' rules? But I'm
> > confused about the "user" stuff.
> > 
> > > now lets say I have a user that only needs access to it's mailserver 
> > > mail.user.com with pop3 and smtp
> > > then the rule for pop3 would be something like
> > > add allow ip from mail.user.com 110 to IP/HOST (MAC dosn't work here right?)
> > 
> > Well, support for MAC addresses in ipfw(8) only exists in -CURRENT
> > right now. But I think you want,
> > 
> >   add pass tcp from me to mail.user.com 25,110 keep-state
> 
> Well for 4.5 this seems to exist: http://www.bsdshell.net

Yeah, the 3rd party ethfw utility. It is not strictly part of FreeBSD
and is not part of ipfw(8), but I've never heard anyone say anything
bad about it (haven't heard all that much period).

> > Which will pass the return traffic.
> > 
> > > Now mail.user.com uses runrobin so the IP changes from request to 
> > > request but dosn't the IPFW resolve the IP when its added to the rules, 
> > > how can this be solved for the user?
> > 
> > You can load all of the IP addresses at start-up? There really is no
> > way to deal with this within ipfw(8) itself. Rules for hostnames whose
> > IP address changes is not a problem that can really be efficiently
> > solved in a general way.
> 
> the problem is that the person configuring the firewall for the user can't possibly know about this problem unless the user states it.
> 
> well one way would be to hack a bit in ipfw so that the hostname isn't looked up when the rule is added but every time the user uses it, but thi would take to much cpu time for IPFW I think

Exactly, it cannot be solved efficiently for the general case. (But it
would be network limited, not CPU. Imagine the lag waitng for DNS
lookups for each packet.)
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message