Wednesday, October 21, 2009

Re: Match owner

The uid information is not contained in the headers so no you can't. I've used this match on ltsp servers to send students through an anonymous proxy/content filter while allowing teachers unfiltered access.

Thanks,

--
Cory Oldford
PeaceWorks Computer Consulting
#2 - 396 Assiniboine Ave, Winnipeg
204 480 0314 --or-- 519 725 7875, ext 610.

----- Original Message -----
From: "Cory Oldford" <cory@peaceworks.ca>
To: "Bjoern Meier" <bjoern.meier@googlemail.com>
Sent: Wednesday, October 21, 2009 11:20:14 AM GMT -06:00 US/Canada Central
Subject: Re: Match owner

Exactly the point I was making. No there is no way to verify this. The TCP/UDP/Ethernet headers do no contain that information.

--
Cory Oldford
PeaceWorks Computer Consulting
#2 - 396 Assiniboine Ave, Winnipeg
204 480 0314 --or-- 519 725 7875, ext 610.

----- Original Message -----
From: "Bjoern Meier" <bjoern.meier@googlemail.com>
To: debian-firewall@lists.debian.org
Sent: Wednesday, October 21, 2009 11:01:06 AM GMT -06:00 US/Canada Central
Subject: Re: Match owner

hi,


2009/10/21 Pascal Hambourg < pascal.mail@plouf.fr.eu.org >


[Sent back on the list. Please pay attention to the recipient address.]

Cory Oldford a écrit :
> Is the traffic originating from a process on the machine with the firewall?

Of course. The OUTPUT chain sees only packets generated by local
processes. This is why the "owner" match is valid only in this chain.

mh ok. Well, the packet IN-if is ppp0 and the OUT-if is eth2. The user is a winbind mapped user-id.
Last and ac can both map the user-id with the username, so my hope was iptables could this do, too.

So routing-packets have no localuser-owner?

Greetings,
Björn

--
To boldly go where no man has gone before ... I'll wait there with touristinformation


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment