Re: Firewalling at the domain users level instead of network level
On 18 Jul 2004, Santos wrote:
> I'm implementing a "Windows clients, Linux servers" kind of network.
> Some users may login at different machines, therefore, ip level is not
> enough. I wonder if it's possible to control the access at the "domain
> users" level instead of network or ip level.
> I could implement some proxies, but each client machine had to be
> configured and that would mean extra work.
Well, unless you need something other that what you can get through a
web proxy, using WPAD and/or a transparent squid with NTLM
authentication should be sufficient, yes?
> IPtables can filter at the user level, but only with local users. Is
> there a way to configure iptables and kerberos working together or
> something like that?
No, because there is no user information associated with a connection,
even via kerberos.
> Is this doable with PAM? I have read that SAMBA authenticated gateway
> HOWTO, but it doesn't look very reliable. Well, so basically what i
> want, is a firewall similar to a ISA Server firewall
There isn't much you can do other than use an authenticated proxy, or a
"captive portal" system such as NoCatAuth: <http://nocat.net/>
We live in a hallucination of our own devising.
-- Alan Kay