Re: [Shorewall-users] Block port 80 & 443 non-approved domains for non-root

[Grant <ema...@gm...>]

>>>>>>> I'd like to block port 80 and 443 traffic to a certain system on my
>>>>>>> network if the domain isn't one of the two approved domains and the
>>>>>>> user isn't root.  Does anyone know how to do this in shorewall?  I'm
>>>>>>> told it is done along these lines, but I've never used iptables
>>>>>>> directly:
>>>>>>>
>>>>>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT
>>>>>> You are mis-informed.
>>>>> What you are asking isn't possible to accomplish with a packet filter.
>>>> Is there any way to limit a system's website access to two domains
>>>> with shorewall?  I wanted to allow http access to root for downloading
>>>> new packages via Portage, but it sounds like I won't be able to do
>>>> that.
>>> Grant -- We really have no idea of what you are trying to do. Your
>>> questions don't indicate where the clients are, relative to the fireall,
>>> and where the servers are. So I have been answering your questions based
>>> on the following principles:
>>>
>>> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
>>> notion of domains. So filterinG by domain is a non-starter.
>>>
>>> b) When referring to packet filters, filtering by user id (e.g., root)
>>> can only be done for connections originating from the firewall. See "man
>>> shoreall-rules" and read about the USER/GROUP column.
>>
>> OK, how about rejecting all http/https traffic from a certain system
>> behind my firewall except that which is headed to a certain website?
>> I tried this in the rules file:
>>
>> ACCEPT  loc:192.168.0.3 loc:web.site.i.p       tcp     80
>> ACCEPT  loc:192.168.0.3 loc:web.site.i.p       tcp     443
>
> The DEST column should be "net:web.site.i.p"

I'm sorry, I was thinking loc=location instead of local.  Thanks a lot.

- Grant