That definitely sounds like a solution that will work. I can assign all users to a common LDAP group and define a PF rule per each of the three groups.
Thank you! I'll let you know how it works out. James -----Original Message----- From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of Stuart Henderson Sent: Tuesday, September 09, 2014 10:53 AM To: Nagle, Edwin (James) Cc: Chris Cappuccio; tech@openbsd.org Subject: Re: SSH Sourcing On 2014/09/09 15:36, Nagle, Edwin (James) wrote: > I thought about running different sshd daemons but that doesn't really > help in my situation. User IP's can vary wildly but I can restrict > access *to* the box using radius based on username. Problem is once > that user connects, I need to restrict his outbound access based on an > IP policy, which is currently being filtered outside of the server on > a Cisco ASA firewall (currently expecting to see the IP address of > whichever server the user is connected to). PF can match local connections based on uid or gid, so you can use this feature to nat to a different local address for different users. Does this give you enough flexibility to do what you need? pass out quick proto tcp from self to $server group 1001 nat-to $some_ip
