On 6/20/2014 2:25 PM, Stuart Henderson wrote: > PF can do this, though I'm not quite sure if doing this from a firewall > counts as a "good way" and, given the controls already available on > local forwarding, it does seem like something that it would be > reasonable to implement internally in ssh. As of the 2.6.x kernels, iptables has support for it as well. See the "owner" module, and if you're going to do this, you might as well enable uid-logging in any LOG rules. If you use grsecurity, you can also create gids that restrict client or server (or both) network socket usage completely, i.e., big hammer. =M= _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
