From owner-freebsd-net@FreeBSD.ORG  Sat Sep  6 14:34:30 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F2D6816A4BF
	for <freebsd-net@freebsd.org>; Sat,  6 Sep 2003 14:34:29 -0700 (PDT)
Received: from hysteria.spc.org (hysteria.spc.org [195.206.69.234])
	by mx1.FreeBSD.org (Postfix) with SMTP id C596443FE3
	for <freebsd-net@freebsd.org>; Sat,  6 Sep 2003 14:34:28 -0700 (PDT)
	(envelope-from bms@hysteria.spc.org)
Received: (qmail 9596 invoked by uid 5013); 6 Sep 2003 21:31:05 -0000
Date: Sat, 6 Sep 2003 22:31:05 +0100
From: Bruce M Simpson <bms@spc.org>
To: jakae <jaka@schalab.net>
Message-ID: <20030906213105.GQ1417@spc.org>
Mail-Followup-To: Bruce M Simpson <bms@spc.org>,
	jakae <jaka@schalab.net>, freebsd-net@freebsd.org
References: <3F5994CF.10802@schalab.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3F5994CF.10802@schalab.net>
User-Agent: Mutt/1.4.1i
Organization: SPC
cc: freebsd-net@freebsd.org
Subject: Re: network blocking per system  (local) user
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Sep 2003 21:34:30 -0000

On Sat, Sep 06, 2003 at 10:03:27AM +0200, jakae wrote:
> I have a freebsd box which is connected to two different networks 
> (public and private). I would like to give to somebody a shell account 
> on this box, but allow him just to see, trace,.. the public network. The 
> best would be if  he could not even see that this box is connected to 
> some private network

There's nothing to stop him from seeing that you have an interface
on the private network via ifconfig(8) or sysctl (he will clearly be
able to see the interfaces in the MIB if he knows where to look).

However, if you want to restrict his access to hosts on that network
(or beyond), you could use an ipfw ruleset containing the following:-

     uid user
             Match all TCP or UDP packets sent by or received for a user.  A
             user may be matched by name or identification number.

I think this may be limited to ipfw2, YMMV; this will work in 5.x.

BMS