On 2014/09/09 15:36, Nagle, Edwin (James) wrote: > I thought about running different sshd daemons but that doesn't really > help in my situation. User IP's can vary wildly but I can restrict > access *to* the box using radius based on username. Problem is once > that user connects, I need to restrict his outbound access based on > an IP policy, which is currently being filtered outside of the server > on a Cisco ASA firewall (currently expecting to see the IP address of > whichever server the user is connected to).
PF can match local connections based on uid or gid, so you can use this feature to nat to a different local address for different users. Does this give you enough flexibility to do what you need? pass out quick proto tcp from self to $server group 1001 nat-to $some_ip
