On Tue, 2003-09-23 at 12:13, Daniel Chemko wrote: > I have been researching some possible extensions to the Netfilter > environment, and something has become very necessary for my current > environment. The following proposal outlines what I wish to implement. I > am wondering if anyone would find value in this. Plus, I look forward to > feedback so that I may improve my ideas. > Suggestion: > > I would like to take pam_iptables and expand it beyond its simple > structure. Features will include: My humble suggestion would be that this should be handled in the stateful connection tracking - If a session is authenticated and certain connections are to be allowed, then the new allowed connections would be of state "related". Really handy would be the ability to distinguish these particular 'related' connections and feed them through specific chains. I for one would NOT want to simply open the box (or network) wide for every authenticated connection, but would like to be able to specify a different set of (more permissive) rules for them once authenticated. Perhaps patch an additional state - "PAM" or "AUTH". Or the ability to specify a fwmark that is automatically implemented for RELATED traffic to the authenticated session, allowing different chains to be traversed based on the mark found. j
