Date: Tue, 31 Jan 2006 23:11:10 +0300 From: "Dmitry Andrianov" <dimas@dataart.com> To: "Eduard Vopicka" <eduard.vopicka@i.cz>, <freebsd-pf@freebsd.org> Subject: RE: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? Message-ID: <D5972F49810A69449A9EA72A4B360DC2799E29@e1.universe.dart.spb>
next in thread | raw e-mail | index | archive | help
Hello. To my understanding, you can apply nat rule to tagged packets only. This should do the trick. nat on $ext_if tagged TAG1 -> 192.168.33.14 nat on $ext_if tagged TAG2 -> 192.168.33.15 Moreover, nat rules can also accept uid/gid matching but I'm not sure about that. Doesn't it work? Regards, Dmitry Andrianov -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Eduard Vopicka Sent: Tuesday, January 31, 2006 10:54 PM To: freebsd-pf@freebsd.org Subject: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? Good evenig. My goal is to use pf to force (via NAT) different IP outgoing addresses=20 depending on UID and/or GID of the program establishing the connection, for=20 connections originating locally on machine with FreeBSD 5.4. (I do not expect=20 this to work for setuid/setgid programs.) I realize that I can filter and tag outgoing packet based on UID/GID on the=20 outgoing interface, but after filtering and tagging, it is too late for NAT. I believe in that it is possible to achieve my goal with pf, but probably some=20 sort of loopback routing is required, so that the packet can first be tagged=20 in the filtering rule dependind on the UID/GID, then somewhat routed back and=20 then NATed based on the tag? E.g., the primary address on the outgoing ethernet interface is for example=20 192.168.33.11 and then for programs being run by user with UID=3D1004 I need to=20 force outgoing IP address 192.168.33.14, for UID=3D1005 outgoing IP address=20 192.68.33.15 and so on. Hope this concpt can be easily extended also for use=20 with GIDs. Thanks in advance for pointing me in the right direction and please excuse my=20 poor English, Eduard Vopicka --=20 Eduard Vopicka ICZ a.s. - Oddeleni vnitrniho IT Hvezdova 1689, 140 00 Praha 4, CZ Tel: +420 244 100 248, +420 244 100 111 Fax: +420 244 100 222 http://www.i.cz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5972F49810A69449A9EA72A4B360DC2799E29>