From: Grant <ema...@gm...> - 2009-01-17 18:30:08
|
>>>>> I'd like to block port 80 and 443 traffic to a certain system on my >>>>> network if the domain isn't one of the two approved domains and the >>>>> user isn't root. Does anyone know how to do this in shorewall? I'm >>>>> told it is done along these lines, but I've never used iptables >>>>> directly: >>>>> >>>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT >>>> You are mis-informed. >>> What you are asking isn't possible to accomplish with a packet filter. >> >> Is there any way to limit a system's website access to two domains >> with shorewall? I wanted to allow http access to root for downloading >> new packages via Portage, but it sounds like I won't be able to do >> that. > > Grant -- We really have no idea of what you are trying to do. Your > questions don't indicate where the clients are, relative to the fireall, > and where the servers are. So I have been answering your questions based > on the following principles: > > a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any > notion of domains. So filterinG by domain is a non-starter. IP would be fine. > b) When referring to packet filters, filtering by user id (e.g., root) > can only be done for connections originating from the firewall. See "man > shoreall-rules" and read about the USER/GROUP column. Could I install shorewall on the system I want to restrict and leave it wide open except for blocking port 80 & 443 for non-approved IPs for non-root? - Grant |