[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection?

Good evenig.

My goal is to use pf to force (via NAT) different IP outgoing addresses depending on UID and/or GID of the program establishing the connection, for connections originating locally on machine with FreeBSD 5.4. (I do not expect this to work for setuid/setgid programs.)

I realize that I can filter and tag outgoing packet based on UID/GID on the outgoing interface, but after filtering and tagging, it is too late for NAT.

I believe in that it is possible to achieve my goal with pf, but probably some sort of loopback routing is required, so that the packet can first be tagged in the filtering rule dependind on the UID/GID, then somewhat routed back and then NATed based on the tag?

E.g., the primary address on the outgoing ethernet interface is for example and then for programs being run by user with UID=1004 I need to force outgoing IP address, for UID=1005 outgoing IP address and so on. Hope this concpt can be easily extended also for use with GIDs.

Thanks in advance for pointing me in the right direction and please excuse my poor English,

Eduard Vopicka


Eduard Vopicka
ICZ a.s. - Oddeleni vnitrniho IT
Hvezdova 1689, 140 00 Praha 4, CZ
Tel: +420 244 100 248, +420 244 100 111
Fax: +420 244 100 222

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature