Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 31 Jan 2006 20:54:06 +0100
From:      Eduard Vopicka <eduard.vopicka@i.cz>
To:        freebsd-pf@freebsd.org
Subject:   Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection?
Message-ID:  <43DFC05E.5030602@i.cz>
next in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]

Good evenig.

My goal is to use pf to force (via NAT) different IP outgoing addresses 
depending on UID and/or GID of the program establishing the connection, for 
connections originating locally on machine with FreeBSD 5.4. (I do not expect 
this to work for setuid/setgid programs.)

I realize that I can filter and tag outgoing packet based on UID/GID on the 
outgoing interface, but after filtering and tagging, it is too late for NAT.

I believe in that it is possible to achieve my goal with pf, but probably some 
sort of loopback routing is required, so that the packet can first be tagged 
in the filtering rule dependind on the UID/GID, then somewhat routed back and 
then NATed based on the tag?

E.g., the primary address on the outgoing ethernet interface is for example 
192.168.33.11 and then for programs being run by user with UID=1004 I need to 
force outgoing IP address 192.168.33.14, for UID=1005 outgoing IP address 
192.68.33.15 and so on. Hope this concpt can be easily extended also for use 
with GIDs.

Thanks in advance for pointing me in the right direction and please excuse my 
poor English,

Eduard Vopicka


-- 

Eduard Vopicka
ICZ a.s. - Oddeleni vnitrniho IT
Hvezdova 1689, 140 00 Praha 4, CZ
Tel: +420 244 100 248, +420 244 100 111
Fax: +420 244 100 222
http://www.i.cz


[-- Attachment #2 --]
0	*H
010	+0	*H

;00P0
	*H
0F10	UCZ10U
ICZ holding a.s.10UICZ Holding Root CA0
050930091543Z
070930091543Z0>10	UCZ10U
ICZ a.s.10UICZ Private CA 200500
	*H
0m,!TzKE7ylg6Z즿7iG?q-umq~sf;kF<'VdXu1c/hy!=ۤP	r-մ;%S?b*Ĉ00U00U0U1=T0zt?ήB0nU#g0e4#,5DblQJH0F10	UCZ10U
ICZ holding a.s.10UICZ Holding Root CA0<U50301/-+http://ca.i.cz/bin/scrl_get?issuer_sn_hex=00
	*H
fбo稤Ʀxgz|Ҫ[!ϑV-`wڵ.s-L[Xj6<ް>e
ө7yIMEsI>6b
̥A6,U.LE)j00
30
	*H
0>10	UCZ10U
ICZ a.s.10UICZ Private CA 20050
051219135842Z
061219135842Z0_10	UCZ10U
ICZ a.s.10
UPeople10UEduard Vopicka10
	&,deda0"0
	*H
0
3u/G2LKlbl-5 \`׶ylWcIU	:aM*~yPT?o^z,
J!
7SqyiB@;ə@ 1_r4d2G=]H<󹛓-c­%qnB+ۉ?QMnR%웇"Q΁
?-AN6׾P4(m#31f*Pcq].rڒugܝT
00	U00UHWAw`0oU#h0f1=T0zt?ήBJH0F10	UCZ10U
ICZ holding a.s.10UICZ Holding Root CA0<U50301/-+http://ca.i.cz/bin/getCRL?issuer_sn_hex=b920U0U0eduard.vopicka@i.cz0
	*H
&(oOuOQ#1	ߏ!J*}\
{򛖷:	S2x)(yzȿ5)̯
`EywjO$?<X15%{dR00
30
	*H
0>10	UCZ10U
ICZ a.s.10UICZ Private CA 20050
051219135842Z
061219135842Z0_10	UCZ10U
ICZ a.s.10
UPeople10UEduard Vopicka10
	&,deda0"0
	*H
0
3u/G2LKlbl-5 \`׶ylWcIU	:aM*~yPT?o^z,
J!
7SqyiB@;ə@ 1_r4d2G=]H<󹛓-c­%qnB+ۉ?QMnR%웇"Q΁
?-AN6׾P4(m#31f*Pcq].rڒugܝT
00	U00UHWAw`0oU#h0f1=T0zt?ήBJH0F10	UCZ10U
ICZ holding a.s.10UICZ Holding Root CA0<U50301/-+http://ca.i.cz/bin/getCRL?issuer_sn_hex=b920U0U0eduard.vopicka@i.cz0
	*H
&(oOuOQ#1	ߏ!J*}\
{򛖷:	S2x)(yzȿ5)̯
`EywjO$?<X15%{dR100D0>10	UCZ10U
ICZ a.s.10UICZ Private CA 200530	+]0	*H
	1	*H
0	*H
	1
060131195406Z0#	*H
	1mnM)67ƶ0R	*H
	1E0C0
*H
0*H
0
*H
@0+0
*H
(0S	+71F0D0>10	UCZ10U
ICZ a.s.10UICZ Private CA 200530U*H
	1FD0>10	UCZ10U
ICZ a.s.10UICZ Private CA 200530
	*H
B舭ǐmlOQ?	;W[ǜuvSn.M?q:Rc8B>֢'qCpNopSf.|<AVqgc(?92]c.t 9Ą2Tm oT6"$Qo_#WN'I?>#G1ېPz[KVcuiqÃ߷D!

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43DFC05E.5030602>