netfilter access control

netfilter access control

[Thierry ITTY]

Hello

I'm currently using squid with an ncsa_auth module so that any employee who
wants to surf the 'net has to identify himself as a person, no matter which
machine he's on. Doing so only http,https,http/ftp protocols are supported.

Now I need to open wider access with irc, realvideo, and other that very
important things ;-) and of course I think of netfilter/iptables, which I'm
used to by the way.

So I'd appreciate any advice which would help me setting up some kind of
signature system (preferably with a browser) allowing a given user (not a
machine) to go out (I don't need protocol specific permissions) for the
time of a session...

tia
			- * - * - * - * - * - * -
Bien sûr que je suis perfectionniste !
Mais ne pourrais-je pas l'être mieux ?
	Thierry ITTY
eMail : Thierry.Itty@Besancon.org		FRANCE

Re: netfilter access control

[Frank Schaefer]

On Thu, 2002-06-06 at 10:06, Thierry ITTY wrote:
> Hello
> 
> I'm currently using squid with an ncsa_auth module so that any employee who
> wants to surf the 'net has to identify himself as a person, no matter which
> machine he's on. Doing so only http,https,http/ftp protocols are supported.
> 
> Now I need to open wider access with irc, realvideo, and other that very
> important things ;-) and of course I think of netfilter/iptables, which I'm
> used to by the way.
> 
> So I'd appreciate any advice which would help me setting up some kind of
> signature system (preferably with a browser) allowing a given user (not a
> machine) to go out (I don't need protocol specific permissions) for the
> time of a session...

Hi Thierry,

we solved this task using mod_auth. There wasn't any problem for UNIX
clients/ users. Doing some Gooooooooooogle we found a Windooooooze
identd too.

Adding ``acl allowed_users ident allowed_users_file'' to our squid.conf
did it.

Hope this helps
Frank

Re: netfilter access control

[Tony Earnshaw]

[-- Attachment #1: Type: text/plain, Size: 1006 bytes --]

tor, 2002-06-06 kl. 08:57 skrev Frank Schaefer:

> we solved this task using mod_auth. There wasn't any problem for UNIX
> clients/ users. Doing some Gooooooooooogle we found a Windooooooze
> identd too.

I can't see how continuing to use what's basically a Socks 4 proxy can
help with those other protocols.

I used to use NEC's reference Socks 5 proxy for a subset of what Thierry
wants. There are 2 or 3 kinds of authorization possible.

Using HummingBird's (does HummingBird still exist?) Socks client,
Windows machines get completely transparent access. Otherwise, there's
NEC's SocksCap.

See: http://www.socks.nec.com/socksfaq.html

I haven't used it for years, though.

Best,

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981



[-- Attachment #2: Dette er en digitalt signert meldingsdel --]
[-- Type: application/pgp-signature, Size: 189 bytes --]