Re: Firewalling at the domain users level instead of network level
I'm not sure about the windows world, but you have several options in
linux for a 'dynamic' firewalling.
1. FWMark.
I would hope that A simple regkey would let you setup FWMark. If I'm not
mistaken you can set regkeys in your workgroup for each user.
2. Tunneling, PPPOE.
This is VARY popular in the windows world is it not? You can also use any
Virtual Network software and get the same effect.
3. Crontab based scripts.
This is the most likely to work. On login a script can FTP upload the
username/hostname rules and on logout remove them. Then a script like the
following...
$Remove-Fierwall-Rules; # My ifup-mkundo.sh will be loads of help here;
for ech in $uploaddir/*
do if [ $(cat $ech) == ValidUser ]
then iptable $start-iptable $(nmblookup $(filename $ech))
$end-iptable
fi
done
--- Santos <casd@netvisao.pt> wrote:
> Hi all.
>
>
> I'm implementing a "Windows clients, Linux servers" kind of network.
> Some users may login at different machines, therefore, ip level is not
> enough. I wonder if it's possible to control the access at the "domain
> users" level instead of network or ip level. I could implement some
> proxies, but each client machine had to be configured and that would
> mean extra work. IPtables can filter at the user level, but only with
> local users. Is there a way to configure iptables and kerberos working
> together or something like that? Is this doable with PAM? I have read
> that SAMBA authenticated gateway HOWTO, but it doesn't look very
> reliable. Well, so basically what i want, is a firewall similar to a ISA
> Server firewall
>
> Any ideas about this would be apreciated, thanks in advance.
>
>
> Santos
>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/
Reply to: