From owner-freebsd-pf@FreeBSD.ORG Tue Jan 31 19:54:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A859B16A420 for ; Tue, 31 Jan 2006 19:54:17 +0000 (GMT) (envelope-from eduard.vopicka@i.cz) Received: from vidle.i.cz (vidle.i.cz [193.179.36.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2656243D49 for ; Tue, 31 Jan 2006 19:54:16 +0000 (GMT) (envelope-from eduard.vopicka@i.cz) Received: from ns.i.cz (brana.i.cz [193.179.36.134]) by vidle.i.cz (Postfix) with ESMTP id B629E2E016 for ; Tue, 31 Jan 2006 20:54:15 +0100 (CET) Received: from localhost (localhost.i.cz [127.0.0.1]) by ns.i.cz (Postfix) with SMTP id 968A4122A02; Tue, 31 Jan 2006 20:54:15 +0100 (CET) X-AV-Checked: Tue Jan 31 20:54:15 2006 ns.i.cz Received: from [192.168.1.12] (brana.i.cz [192.168.1.10]) by ns.i.cz (Postfix) with ESMTP id 98593122A01; Tue, 31 Jan 2006 20:54:12 +0100 (CET) Message-ID: <43DFC05E.5030602@i.cz> Date: Tue, 31 Jan 2006 20:54:06 +0100 From: Eduard Vopicka User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms030301050501020708070502" Subject: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2006 19:54:17 -0000 This is a cryptographically signed message in MIME format. --------------ms030301050501020708070502 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Good evenig. My goal is to use pf to force (via NAT) different IP outgoing addresses depending on UID and/or GID of the program establishing the connection, for connections originating locally on machine with FreeBSD 5.4. (I do not expect this to work for setuid/setgid programs.) I realize that I can filter and tag outgoing packet based on UID/GID on the outgoing interface, but after filtering and tagging, it is too late for NAT. I believe in that it is possible to achieve my goal with pf, but probably some sort of loopback routing is required, so that the packet can first be tagged in the filtering rule dependind on the UID/GID, then somewhat routed back and then NATed based on the tag? E.g., the primary address on the outgoing ethernet interface is for example 192.168.33.11 and then for programs being run by user with UID=1004 I need to force outgoing IP address 192.168.33.14, for UID=1005 outgoing IP address 192.68.33.15 and so on. Hope this concpt can be easily extended also for use with GIDs. Thanks in advance for pointing me in the right direction and please excuse my poor English, Eduard Vopicka -- Eduard Vopicka ICZ a.s. - Oddeleni vnitrniho IT Hvezdova 1689, 140 00 Praha 4, CZ Tel: +420 244 100 248, +420 244 100 111 Fax: +420 244 100 222 http://www.i.cz --------------ms030301050501020708070502 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKOzCC AucwggJQoAMCAQICAguSMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNVBAYTAkNaMRkwFwYDVQQK ExBJQ1ogaG9sZGluZyBhLnMuMRwwGgYDVQQDExNJQ1ogSG9sZGluZyBSb290IENBMB4XDTA1 MDkzMDA5MTU0M1oXDTA3MDkzMDA5MTU0M1owPjELMAkGA1UEBhMCQ1oxETAPBgNVBAoTCElD WiBhLnMuMRwwGgYDVQQDExNJQ1ogUHJpdmF0ZSBDQSAyMDA1MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDd0m0suouMIfnJzREQmFR6S0WyN3kTbJOtwmc2gFrspr83v/xpy+pHtuid 7D+tcb4tdYRt9LmlBHHW2vB+ibrZc2Ya7QHPO2tGjjwnf71WZMZYdTGFYy/raPikeaKDIaI9 26SZDlCsCadypS3VtDslU6TAP9FiC/wFKvWQ6MSI1wIDAQABo4HrMIHoMAwGA1UdEwQFMAMB Af8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQxPVQwrZP9eqPF6Lp08T/OrpmJQjBuBgNVHSME ZzBlgBTD3wc01tYjLMM1tIVEoWJsUae1AqFKpEgwRjELMAkGA1UEBhMCQ1oxGTAXBgNVBAoT EElDWiBob2xkaW5nIGEucy4xHDAaBgNVBAMTE0lDWiBIb2xkaW5nIFJvb3QgQ0GCAQAwPAYD VR0fBDUwMzAxoC+gLYYraHR0cDovL2NhLmkuY3ovYmluL3NjcmxfZ2V0P2lzc3Vlcl9zbl9o ZXg9MDANBgkqhkiG9w0BAQUFAAOBgQBmwtCxouxv56ikxqYLBYR4Z3rkfNKqolshhs+RVvX3 LWB3ifea+BSM2rWorPcumHMtHL9MiLu2W1jtoGo21DzesOs+42UHDZKRo77TqTd5SU0OHAj7 G/iwRXNJgwHeALI+3ja+Yp/fChrNwfDMpUGDNrAspOmfVS5M80Up+f6qajCCA6QwggMNoAMC AQICAgwzMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAkNaMREwDwYDVQQKEwhJQ1ogYS5z LjEcMBoGA1UEAxMTSUNaIFByaXZhdGUgQ0EgMjAwNTAeFw0wNTEyMTkxMzU4NDJaFw0wNjEy MTkxMzU4NDJaMF8xCzAJBgNVBAYTAkNaMREwDwYDVQQKEwhJQ1ogYS5zLjEPMA0GA1UECxMG UGVvcGxlMRcwFQYDVQQDEw5FZHVhcmQgVm9waWNrYTETMBEGCgmSJomT8ixkAQETA2VkYTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPCH5DN1LwSiu5ZHMkxLbGLV28FsuMrL LTWLIMGEXKe9YNe2hnlstldj+ElVCRgduzqf6sBhygPuTSqYfnkLUMGDVJjKP29eetgsEIQK l6rhgkry4hIhzAo3U41x7Onp/Zi6ecjrEo1pmEKM7s/1l+kQokA7/8mZQCAx3V8EB9dy7zSM 4fGRZDJHPV0fzvCkSAg887mbk80tY/4e/MKtJXGybkIrwbHbiZc/UU3f8W6E3lIl1Rfsm4fy 3SJRi6jOgcfC0NMNqZQ/LUEQGxsSTq6bNtnXvqBQNBIDKPVtI8L3MzHFZoIqDlBjwflxk76v EPbgXa6r3C5y2pJ1Z9ydVBkCAwEAAaOCAQowggEGMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBLy iMne+0jLwwBXQfd32P6vsB1gMG8GA1UdIwRoMGaAFDE9VDCtk/16o8XounTxP86umYlCoUqk SDBGMQswCQYDVQQGEwJDWjEZMBcGA1UEChMQSUNaIGhvbGRpbmcgYS5zLjEcMBoGA1UEAxMT SUNaIEhvbGRpbmcgUm9vdCBDQYICC5IwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NhLmku Y3ovYmluL2dldENSTD9pc3N1ZXJfc25faGV4PWI5MjALBgNVHQ8EBAMCBeAwHgYDVR0RBBcw FYETZWR1YXJkLnZvcGlja2FAaS5jejANBgkqhkiG9w0BAQUFAAOBgQAm7Owov29Pk+f5dQdP fx8GUd4BIzEECd+PqSGTG0oq+H2YmFwNe/Kblrc6HglTjzJ4KQze7oUoeaqfes7Iv4n/NRQp wOwEzK+7B732zg2zntbT5cXVYEWWs3nyinf8astPsSQeH98S7/8/soLBxO8AHLydPPOaWDE1 JXtkzehSGDCCA6QwggMNoAMCAQICAgwzMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAkNa MREwDwYDVQQKEwhJQ1ogYS5zLjEcMBoGA1UEAxMTSUNaIFByaXZhdGUgQ0EgMjAwNTAeFw0w NTEyMTkxMzU4NDJaFw0wNjEyMTkxMzU4NDJaMF8xCzAJBgNVBAYTAkNaMREwDwYDVQQKEwhJ Q1ogYS5zLjEPMA0GA1UECxMGUGVvcGxlMRcwFQYDVQQDEw5FZHVhcmQgVm9waWNrYTETMBEG CgmSJomT8ixkAQETA2VkYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPCH5DN1 LwSiu5ZHMkxLbGLV28FsuMrLLTWLIMGEXKe9YNe2hnlstldj+ElVCRgduzqf6sBhygPuTSqY fnkLUMGDVJjKP29eetgsEIQKl6rhgkry4hIhzAo3U41x7Onp/Zi6ecjrEo1pmEKM7s/1l+kQ okA7/8mZQCAx3V8EB9dy7zSM4fGRZDJHPV0fzvCkSAg887mbk80tY/4e/MKtJXGybkIrwbHb iZc/UU3f8W6E3lIl1Rfsm4fy3SJRi6jOgcfC0NMNqZQ/LUEQGxsSTq6bNtnXvqBQNBIDKPVt I8L3MzHFZoIqDlBjwflxk76vEPbgXa6r3C5y2pJ1Z9ydVBkCAwEAAaOCAQowggEGMAkGA1Ud EwQCMAAwHQYDVR0OBBYEFBLyiMne+0jLwwBXQfd32P6vsB1gMG8GA1UdIwRoMGaAFDE9VDCt k/16o8XounTxP86umYlCoUqkSDBGMQswCQYDVQQGEwJDWjEZMBcGA1UEChMQSUNaIGhvbGRp bmcgYS5zLjEcMBoGA1UEAxMTSUNaIEhvbGRpbmcgUm9vdCBDQYICC5IwPAYDVR0fBDUwMzAx oC+gLYYraHR0cDovL2NhLmkuY3ovYmluL2dldENSTD9pc3N1ZXJfc25faGV4PWI5MjALBgNV HQ8EBAMCBeAwHgYDVR0RBBcwFYETZWR1YXJkLnZvcGlja2FAaS5jejANBgkqhkiG9w0BAQUF AAOBgQAm7Owov29Pk+f5dQdPfx8GUd4BIzEECd+PqSGTG0oq+H2YmFwNe/Kblrc6HglTjzJ4 KQze7oUoeaqfes7Iv4n/NRQpwOwEzK+7B732zg2zntbT5cXVYEWWs3nyinf8astPsSQeH98S 7/8/soLBxO8AHLydPPOaWDE1JXtkzehSGDGCAswwggLIAgEBMEQwPjELMAkGA1UEBhMCQ1ox ETAPBgNVBAoTCElDWiBhLnMuMRwwGgYDVQQDExNJQ1ogUHJpdmF0ZSBDQSAyMDA1AgIMMzAJ BgUrDgMCGgUAoIIBXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wNjAxMzExOTU0MDZaMCMGCSqGSIb3DQEJBDEWBBTwoe3ybcluTYqv8yk2DjfJzPTGtjBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDBTBgkrBgEEAYI3EAQxRjBEMD4xCzAJBgNV BAYTAkNaMREwDwYDVQQKEwhJQ1ogYS5zLjEcMBoGA1UEAxMTSUNaIFByaXZhdGUgQ0EgMjAw NQICDDMwVQYLKoZIhvcNAQkQAgsxRqBEMD4xCzAJBgNVBAYTAkNaMREwDwYDVQQKEwhJQ1og YS5zLjEcMBoGA1UEAxMTSUNaIFByaXZhdGUgQ0EgMjAwNQICDDMwDQYJKoZIhvcNAQEBBQAE ggEAmK4bo/79v5QQrt7OQvYY6Iitx5BtbPlP/cdRFvQCPwmw4TtXqFsQGdQSwsecFXXudlNu Lk2aP8rZcRM6UmM4QtTh5z75HerWoidx7YNDEBBwTsHotB31b4u3pqQPcLu1wsBTGmYufIQ8 tEH9vMNWgnGgZ2MomqntsD858BMyiwa8AF2XYxwuouN0uyA5utTGxITeMoQCVByKbZGo54bO IOO6b1SBNiKVFqie8ZXtDiQRwN/rD52mURMB4m/zi9cD7RxfpyOnV06h8dgnSRg/BpYWPvHx wiPtR6HqMRTbkItQ/uF6+1vnS1bz4Z3b7qz6wGN1aXGPo8OD37cXRKCOIQAAAAAAAA== --------------ms030301050501020708070502--