>>>>> I'd like to block port 80 and 443 traffic to a certain system on my >>>>> network if the domain isn't one of the two approved domains and the >>>>> user isn't root. Does anyone know how to do this in shorewall? I'm >>>>> told it is done along these lines, but I've never used iptables >>>>> directly: >>>>> >>>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j >>>>> REJECT >>>> You are mis-informed. >>> What you are asking isn't possible to accomplish with a packet filter. >> >> Is there any way to limit a system's website access to two domains >> with shorewall? I wanted to allow http access to root for downloading >> new packages via Portage, but it sounds like I won't be able to do >> that. > > Grant -- We really have no idea of what you are trying to do. Your > questions don't indicate where the clients are, relative to the fireall, > and where the servers are. So I have been answering your questions based > on the following principles: > > a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any > notion of domains. So filterinG by domain is a non-starter. > > b) When referring to packet filters, filtering by user id (e.g., root) > can only be done for connections originating from the firewall. See "man > shoreall-rules" and read about the USER/GROUP column.
OK, how about rejecting all http/https traffic from a certain system behind my firewall except that which is headed to a certain website? I tried this in the rules file: ACCEPT loc:192.168.0.3 loc:web.site.i.p tcp 80 ACCEPT loc:192.168.0.3 loc:web.site.i.p tcp 443 REJECT loc:192.168.0.3 net tcp 80 REJECT loc:192.168.0.3 net tcp 443 but it also blocks requests to web.site.i.p. What is the correct way to do this? - Grant ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
