Date: Thu, 23 May 2002 00:09:24 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: John Angelmo <john@veidit.net> Cc: net@FreeBSD.ORG Subject: Re: "dynamic" ipfw Message-ID: <20020523000924.A9562@blossom.cjclark.org> In-Reply-To: <20020523025116.41a796b6.john@veidit.net>; from john@veidit.net on Thu, May 23, 2002 at 02:51:16AM %2B0200 References: <3CE934D8.9010302@veidit.net> <20020522172837.A8894@blossom.cjclark.org> <20020523025116.41a796b6.john@veidit.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 23, 2002 at 02:51:16AM +0200, John Angelmo wrote: > On Wed, 22 May 2002 17:28:37 -0700 > "Crist J. Clark" <crist.clark@attbi.com> wrote: > > > On Mon, May 20, 2002 at 07:39:36PM +0200, John Angelmo wrote: > > > Hello > > > > > > I have a small problem with IPFW > > > > > > How can I handle adding and removing rules based on IP/MAC per user? > > > > Per user? You mean with 'uid' options? > > Sorry, bad explenation from my side, in this case, for a user to get routing outside the server he/she needs to login via a webform, after that well then he/she can do what he/she wants to. > I wonder if I can map that userlogin (in an mysql/pgsql db) to IPFW in some way so I can add/remove rules in an easy way based on userlogin? Just a shot in the dark :) You can do whatever you want. Obviously, something like this sounds like you will need to roll your own code/scripts. I know FreeBSD doesn't include anything like this and doubt there are existing packages. That said, I still don't really understand what that means. Users "get routing outside the server" by using a webform? > > > I can add a rule for a specific IP/MAC without the need to flush but can > > > I remove it in the same way? > > > > It kind of sounds like you want to use 'keep-state' rules? But I'm > > confused about the "user" stuff. > > > > > now lets say I have a user that only needs access to it's mailserver > > > mail.user.com with pop3 and smtp > > > then the rule for pop3 would be something like > > > add allow ip from mail.user.com 110 to IP/HOST (MAC dosn't work here right?) > > > > Well, support for MAC addresses in ipfw(8) only exists in -CURRENT > > right now. But I think you want, > > > > add pass tcp from me to mail.user.com 25,110 keep-state > > Well for 4.5 this seems to exist: http://www.bsdshell.net Yeah, the 3rd party ethfw utility. It is not strictly part of FreeBSD and is not part of ipfw(8), but I've never heard anyone say anything bad about it (haven't heard all that much period). > > Which will pass the return traffic. > > > > > Now mail.user.com uses runrobin so the IP changes from request to > > > request but dosn't the IPFW resolve the IP when its added to the rules, > > > how can this be solved for the user? > > > > You can load all of the IP addresses at start-up? There really is no > > way to deal with this within ipfw(8) itself. Rules for hostnames whose > > IP address changes is not a problem that can really be efficiently > > solved in a general way. > > the problem is that the person configuring the firewall for the user can't possibly know about this problem unless the user states it. > > well one way would be to hack a bit in ipfw so that the hostname isn't looked up when the rule is added but every time the user uses it, but thi would take to much cpu time for IPFW I think Exactly, it cannot be solved efficiently for the general case. (But it would be network limited, not CPU. Imagine the lag waitng for DNS lookups for each packet.) -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020523000924.A9562>