On Tue, Sep 23, 2003 at 09:13:21AM -0700, Daniel Chemko wrote: > I would like to take pam_iptables and expand it beyond its simple > structure. Features will include: > [...] Feel free to implement those features. > Since PAM returns the originating IP address of the request, most of the > rule functionality can be used to discriminate on a host level. I don't > think many people would have a problem with this. The only side effect > here is that a user behind a NAT'd network accessing the system opens > the services to everyone behind that host. This is unavoidable. I personally don't believe in this kind of 'security'. The only way to do this in a really secure way is to open a VPN tunnel to your firewall and do the authentication related to the VPN protocol used. Your firewall ruleset can then have seperate rules for packets coming from the VPN or packets outside of the VPN sessions. > I have seen some of this functionality in Checkpoint, and I think that > it would be immensely useful in the iptables community if it is adopted. Just because a particular proprietary vendor offers a 'feature', it doesn't necessarrily mean that we need to do a blind copy of that feature. -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00572.pgp
Description: PGP signature
