From owner-freebsd-pf@FreeBSD.ORG Tue Jan 31 20:11:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B76AB16A420 for ; Tue, 31 Jan 2006 20:11:32 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1C5843D53 for ; Tue, 31 Jan 2006 20:11:27 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.22) id 1F41qU-00080S-KR; Tue, 31 Jan 2006 23:11:22 +0300 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 31 Jan 2006 23:11:10 +0300 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? Thread-Index: AcYmoCu1rMT4qhdyS5eRi+bxpoWXcgAASYGQ From: "Dmitry Andrianov" To: "Eduard Vopicka" , Cc: Subject: RE: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2006 20:11:32 -0000 Hello. To my understanding, you can apply nat rule to tagged packets only. This should do the trick. nat on $ext_if tagged TAG1 -> 192.168.33.14 nat on $ext_if tagged TAG2 -> 192.168.33.15 Moreover, nat rules can also accept uid/gid matching but I'm not sure about that. Doesn't it work? Regards, Dmitry Andrianov -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Eduard Vopicka Sent: Tuesday, January 31, 2006 10:54 PM To: freebsd-pf@freebsd.org Subject: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? Good evenig. My goal is to use pf to force (via NAT) different IP outgoing addresses=20 depending on UID and/or GID of the program establishing the connection, for=20 connections originating locally on machine with FreeBSD 5.4. (I do not expect=20 this to work for setuid/setgid programs.) I realize that I can filter and tag outgoing packet based on UID/GID on the=20 outgoing interface, but after filtering and tagging, it is too late for NAT. I believe in that it is possible to achieve my goal with pf, but probably some=20 sort of loopback routing is required, so that the packet can first be tagged=20 in the filtering rule dependind on the UID/GID, then somewhat routed back and=20 then NATed based on the tag? E.g., the primary address on the outgoing ethernet interface is for example=20 192.168.33.11 and then for programs being run by user with UID=3D1004 I need to=20 force outgoing IP address 192.168.33.14, for UID=3D1005 outgoing IP address=20 192.68.33.15 and so on. Hope this concpt can be easily extended also for use=20 with GIDs. Thanks in advance for pointing me in the right direction and please excuse my=20 poor English, Eduard Vopicka --=20 Eduard Vopicka ICZ a.s. - Oddeleni vnitrniho IT Hvezdova 1689, 140 00 Praha 4, CZ Tel: +420 244 100 248, +420 244 100 111 Fax: +420 244 100 222 http://www.i.cz