Re: Ideas for v2.1

Marc Unangst (mju@cs.cmu.edu)
Thu, 20 Jun 1996 13:13:22 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mark.Hemment@uniplex.co.uk: "Re: 2.2.0 wishlist"
Previous message: Michael Stiller: "2.0.0 crashes solved [patch]"
Next in thread: Stephen R. van den Berg: "Re: 2.0.0 crashes solved [patch]"
Reply: Stephen R. van den Berg: "Re: 2.0.0 crashes solved [patch]"
Reply: Alan Cox: "Re: 2.0.0 crashes solved [patch]"

Jos Vos <jos@xos.nl> writes:
>> There are already some patches for per user accointing. I'd like to
>> have per user firewall as well.
>
>I'm not sure what you mean with the last sentence, but, in general,
>supporting a per-user firewall is not possible in the kernel.

I think what he's talking about is supporting access control lists for
networking operations. i.e., I might want to be able to control which
users can send datagrams to which TCP/UDP addresses and ports. This
is very useful for people who run public-access systems and wish to
only allow some users access to the "external" network.

Ideally, you should be able to specify "allow" and "deny" rules
similar in spirit to TCP wrapper control files or HTTP access files.
You should be able to specify users at least at the user-id and group
level, and preferably also define groups-of-groups. You should be
able to allow and deny access to any combination of protocol, address,
and port. And all this should be configurable from userland, without
rebuilding the kernel. (A public-access system I do volunteer work
for has most of this -- they're mainly missing the "without rebuilding
the kernel" part -- on a SunOS system. However, we've hacked the
kernel...)

-Marc

Next message: Mark.Hemment@uniplex.co.uk: "Re: 2.2.0 wishlist"
Previous message: Michael Stiller: "2.0.0 crashes solved [patch]"
Next in thread: Stephen R. van den Berg: "Re: 2.0.0 crashes solved [patch]"
Reply: Stephen R. van den Berg: "Re: 2.0.0 crashes solved [patch]"
Reply: Alan Cox: "Re: 2.0.0 crashes solved [patch]"