- jared
Marc Unangst graced my mailbox with this long sought knowledge:
> Jos Vos <jos@xos.nl> writes:
> >> There are already some patches for per user accointing. I'd like to
> >> have per user firewall as well.
> >
> >I'm not sure what you mean with the last sentence, but, in general,
> >supporting a per-user firewall is not possible in the kernel.
>
> I think what he's talking about is supporting access control lists for
> networking operations. i.e., I might want to be able to control which
> users can send datagrams to which TCP/UDP addresses and ports. This
> is very useful for people who run public-access systems and wish to
> only allow some users access to the "external" network.
>
> Ideally, you should be able to specify "allow" and "deny" rules
> similar in spirit to TCP wrapper control files or HTTP access files.
> You should be able to specify users at least at the user-id and group
> level, and preferably also define groups-of-groups. You should be
> able to allow and deny access to any combination of protocol, address,
> and port. And all this should be configurable from userland, without
> rebuilding the kernel. (A public-access system I do volunteer work
> for has most of this -- they're mainly missing the "without rebuilding
> the kernel" part -- on a SunOS system. However, we've hacked the
> kernel...)
>
> -Marc
>