Using pf to force different outgoing IP address depending on
UNIX user/group for locally originating connection?
Dmitry Andrianov
dimas at dataart.com
Tue Jan 31 12:11:32 PST 2006
Hello.
To my understanding, you can apply nat rule to tagged packets only. This
should do the trick.
nat on $ext_if tagged TAG1 -> 192.168.33.14
nat on $ext_if tagged TAG2 -> 192.168.33.15
Moreover, nat rules can also accept uid/gid matching but I'm not sure
about that.
Doesn't it work?
Regards,
Dmitry Andrianov
-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org]
On Behalf Of Eduard Vopicka
Sent: Tuesday, January 31, 2006 10:54 PM
To: freebsd-pf at freebsd.org
Subject: Using pf to force different outgoing IP address depending on
UNIX user/group for locally originating connection?
Good evenig.
My goal is to use pf to force (via NAT) different IP outgoing addresses
depending on UID and/or GID of the program establishing the connection,
for
connections originating locally on machine with FreeBSD 5.4. (I do not
expect
this to work for setuid/setgid programs.)
I realize that I can filter and tag outgoing packet based on UID/GID on
the
outgoing interface, but after filtering and tagging, it is too late for
NAT.
I believe in that it is possible to achieve my goal with pf, but
probably some
sort of loopback routing is required, so that the packet can first be
tagged
in the filtering rule dependind on the UID/GID, then somewhat routed
back and
then NATed based on the tag?
E.g., the primary address on the outgoing ethernet interface is for
example
192.168.33.11 and then for programs being run by user with UID=1004 I
need to
force outgoing IP address 192.168.33.14, for UID=1005 outgoing IP
address
192.68.33.15 and so on. Hope this concpt can be easily extended also for
use
with GIDs.
Thanks in advance for pointing me in the right direction and please
excuse my
poor English,
Eduard Vopicka
--
Eduard Vopicka
ICZ a.s. - Oddeleni vnitrniho IT
Hvezdova 1689, 140 00 Praha 4, CZ
Tel: +420 244 100 248, +420 244 100 111
Fax: +420 244 100 222
http://www.i.cz
More information about the freebsd-pf
mailing list