[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewalling at the domain users level instead of network level

On 18 Jul 2004, Santos wrote:
> I'm implementing a "Windows clients, Linux servers" kind of network.
> Some users may login at different machines, therefore, ip level is not
> enough. I wonder if it's possible to control the access at the "domain
> users" level instead of network or ip level.  

Not trivially.

> I could implement some proxies, but each client machine had to be
> configured and that would mean extra work. 

Well, unless you need something other that what you can get through a
web proxy, using WPAD and/or a transparent squid with NTLM
authentication should be sufficient, yes?

> IPtables can filter at the user level, but only with local users. Is
> there a way to configure iptables and kerberos working together or
> something like that? 

No, because there is no user information associated with a connection,
even via kerberos.

> Is this doable with PAM? I have read that SAMBA authenticated gateway
> HOWTO, but it doesn't look very reliable. Well, so basically what i
> want, is a firewall similar to a ISA Server firewall

There isn't much you can do other than use an authenticated proxy, or a
"captive portal" system such as NoCatAuth: <http://nocat.net/>

We live in a hallucination of our own devising.
        -- Alan Kay

Reply to: