Quarantining an account from the Internet, or from all networking?
Michael ODonnell
michael.odonnell at comcast.net
Mon Aug 16 18:30:17 EDT 2010
Interesting question. There's no notion of UID associated with
an IP packet so once it's in transit it's not straightforward
to know who "owns" it, unless maybe the network code happens
to be executing (synchronously) on behalf of the restricted
user (outbound only?) or maybe if the packet can somehow
be ID'd as being part of a channel he's currently using,
maybe using the port number? I'm guessing it'd be easiest
to make the deny/allow decision during the setup phase of the
network connection(s) in question. At any rate that iptables
trick sounds fun; even if it only trashes a few packets it'd
probably gum things up enough to have the intended effect.
Or maybe you could just run that user in his own VM with
networking suitably crippled...?
More information about the gnhlug-discuss
mailing list