Good evenig.My goal is to use pf to force (via NAT) different IP outgoing addresses depending on UID and/or GID of the program establishing the connection, for connections originating locally on machine with FreeBSD 5.4. (I do not expect this to work for setuid/setgid programs.)
I realize that I can filter and tag outgoing packet based on UID/GID on the outgoing interface, but after filtering and tagging, it is too late for NAT.
I believe in that it is possible to achieve my goal with pf, but probably some sort of loopback routing is required, so that the packet can first be tagged in the filtering rule dependind on the UID/GID, then somewhat routed back and then NATed based on the tag?
E.g., the primary address on the outgoing ethernet interface is for example 192.168.33.11 and then for programs being run by user with UID=1004 I need to force outgoing IP address 192.168.33.14, for UID=1005 outgoing IP address 192.68.33.15 and so on. Hope this concpt can be easily extended also for use with GIDs.
Thanks in advance for pointing me in the right direction and please excuse my poor English,
Eduard Vopicka -- Eduard Vopicka ICZ a.s. - Oddeleni vnitrniho IT Hvezdova 1689, 140 00 Praha 4, CZ Tel: +420 244 100 248, +420 244 100 111 Fax: +420 244 100 222 http://www.i.cz
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature