Re: filtering by user

[Leonardo Boselli <leo@dicea.unifi.it>]

On Mon, 1 May 2006, Pascal Hambourg wrote:
> > I wish that a number of users (that can be made member or not member of a
> > certain group) would use always i.j.n.m address to connect to outside
> I don't think this is a good idea because IP addresses are intended to 
> be network-related, not user-related. Instead you may use the 'owner' 
> match to match locally generated packets against a user id or group id.

I agree wit your opinion, hovewer stiking a gropup of user to a specific
address would allow administrators to filter on the _other_ end of the
link, accepting or refusing he connenction based on the source address (I
have a number of resorces, including printers, whose only way to restrict
access is by ip ...) or using an external firewall .
Also I have not been ablo to find a working example.
for example how could i say that:
  users that are member of only group 101 and/or 103
    cannot open connections to remote ports above 1040 
      unless 
         {is the return connection of a ftp-connections}
             or
         {it is a Address:port pair given in a file}

(the file os about 6000 record long ....)
This is the reason why I would give to the two unprivileged groups a known
address, and then just open or close 3 to 12 ports on each of the other
hosts or on the router .....