> Hmm, I see what the problem is. You are talking about implementing
> packet accounting. I don't care about counting the packets; I'm
> concerned about doing access control. I want to prevent unauthorized
> users from making network connections to certain addresses or ports,
An idea this discussion has indicated to me is this: per-ip-port access
lists (or some control mechanism) would be a nice way to finalize making
users "news", "mail", etc., real sub-super-users. Allowing user "dns" to
attach to tcp/udp:53 any time, with no setuid-root shenanigans, would be
a very good thing to be able to do, from my point of view.
One of the (few 8^) good things that people remember from VMS (I would
not be one of these people) is the wide range of sub-systems, run by a
number of pseudo-super-users. (Please, someone correct e if I'm wrong.)
Being able to implement this sort of setup for network services would be
a good thing.
$0.02
_____________________________________________________________________
Todd Graham Lewis Core Engineering Mindspring Enterprises
tlewis@mindspring.com (Standard Disclaimers) (800) 719 4664, x2804