Grant wrote: >>>> I'd like to block port 80 and 443 traffic to a certain system on my >>>> network if the domain isn't one of the two approved domains and the >>>> user isn't root. Does anyone know how to do this in shorewall? I'm >>>> told it is done along these lines, but I've never used iptables >>>> directly: >>>> >>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j >>>> REJECT >>> You are mis-informed. >> What you are asking isn't possible to accomplish with a packet filter. > > Is there any way to limit a system's website access to two domains > with shorewall? I wanted to allow http access to root for downloading > new packages via Portage, but it sounds like I won't be able to do > that.
Grant -- We really have no idea of what you are trying to do. Your questions don't indicate where the clients are, relative to the fireall, and where the servers are. So I have been answering your questions based on the following principles: a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any notion of domains. So filterinG by domain is a non-starter. b) When referring to packet filters, filtering by user id (e.g., root) can only be done for connections originating from the firewall. See "man shoreall-rules" and read about the USER/GROUP column. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
