Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 May 2002 02:51:16 +0200
From:      John Angelmo <john@veidit.net>
To:        "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc:        crist.clark@attbi.com, net@FreeBSD.ORG
Subject:   Re: "dynamic" ipfw
Message-ID:  <20020523025116.41a796b6.john@veidit.net>
In-Reply-To: <20020522172837.A8894@blossom.cjclark.org>
References:  <3CE934D8.9010302@veidit.net> <20020522172837.A8894@blossom.cjclark.org>

next in thread | previous in thread | raw e-mail | index | archive | help
--=.,wsQx2jq1,ZKXs
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 22 May 2002 17:28:37 -0700
"Crist J. Clark" <crist.clark@attbi.com> wrote:

> On Mon, May 20, 2002 at 07:39:36PM +0200, John Angelmo wrote:
> > Hello
> > 
> > I have a small problem with IPFW
> > 
> > How can I handle adding and removing rules based on IP/MAC per user?
> 
> Per user? You mean with 'uid' options?

Sorry, bad explenation from my side, in this case, for a user to get routing outside the server he/she needs to login via a webform, after that well then he/she can do what he/she wants to.
I wonder if I can map that userlogin (in an mysql/pgsql db) to IPFW in some way so I can add/remove rules in an easy way based on userlogin? Just a shot in the dark :)

> 
> > I can add a rule for a specific IP/MAC without the need to flush but can 
> > I remove it in the same way?
> 
> It kind of sounds like you want to use 'keep-state' rules? But I'm
> confused about the "user" stuff.
> 
> > now lets say I have a user that only needs access to it's mailserver 
> > mail.user.com with pop3 and smtp
> > then the rule for pop3 would be something like
> > add allow ip from mail.user.com 110 to IP/HOST (MAC dosn't work here right?)
> 
> Well, support for MAC addresses in ipfw(8) only exists in -CURRENT
> right now. But I think you want,
> 
>   add pass tcp from me to mail.user.com 25,110 keep-state

Well for 4.5 this seems to exist: http://www.bsdshell.net

> 
> Which will pass the return traffic.
> 
> > Now mail.user.com uses runrobin so the IP changes from request to 
> > request but dosn't the IPFW resolve the IP when its added to the rules, 
> > how can this be solved for the user?
> 
> You can load all of the IP addresses at start-up? There really is no
> way to deal with this within ipfw(8) itself. Rules for hostnames whose
> IP address changes is not a problem that can really be efficiently
> solved in a general way.

the problem is that the person configuring the firewall for the user can't possibly know about this problem unless the user states it.

well one way would be to hack a bit in ipfw so that the hostname isn't looked up when the rule is added but every time the user uses it, but thi would take to much cpu time for IPFW I think

/John
--=.,wsQx2jq1,ZKXs
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE87D0OdU9I0dY0KzMRAjWwAJwK5bvwN5dp2z2oEd4v4UwlwLYR0QCeJxJw
NVdR5x3Qfp44TUHKYcurUM0=
=ZRG3
-----END PGP SIGNATURE-----

--=.,wsQx2jq1,ZKXs--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020523025116.41a796b6.john>