Re: filtering by user
On Mon, 1 May 2006, Pascal Hambourg wrote:
> > I wish that a number of users (that can be made member or not member of a
> > certain group) would use always i.j.n.m address to connect to outside
> I don't think this is a good idea because IP addresses are intended to
> be network-related, not user-related. Instead you may use the 'owner'
> match to match locally generated packets against a user id or group id.
I agree wit your opinion, hovewer stiking a gropup of user to a specific
address would allow administrators to filter on the _other_ end of the
link, accepting or refusing he connenction based on the source address (I
have a number of resorces, including printers, whose only way to restrict
access is by ip ...) or using an external firewall .
Also I have not been ablo to find a working example.
for example how could i say that:
users that are member of only group 101 and/or 103
cannot open connections to remote ports above 1040
unless
{is the return connection of a ftp-connections}
or
{it is a Address:port pair given in a file}
(the file os about 6000 record long ....)
This is the reason why I would give to the two unprivileged groups a known
address, and then just open or close 3 to 12 ports on each of the other
hosts or on the router .....
Reply to: