Grant wrote: >>>>>> I'd like to block port 80 and 443 traffic to a certain system on my >>>>>> network if the domain isn't one of the two approved domains and the >>>>>> user isn't root. Does anyone know how to do this in shorewall? I'm >>>>>> told it is done along these lines, but I've never used iptables >>>>>> directly: >>>>>> >>>>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j >>>>>> REJECT >>>>> You are mis-informed. >>>> What you are asking isn't possible to accomplish with a packet filter. >>> Is there any way to limit a system's website access to two domains >>> with shorewall? I wanted to allow http access to root for downloading >>> new packages via Portage, but it sounds like I won't be able to do >>> that. >> Grant -- We really have no idea of what you are trying to do. Your >> questions don't indicate where the clients are, relative to the fireall, >> and where the servers are. So I have been answering your questions based >> on the following principles: >> >> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any >> notion of domains. So filterinG by domain is a non-starter. >> >> b) When referring to packet filters, filtering by user id (e.g., root) >> can only be done for connections originating from the firewall. See "man >> shoreall-rules" and read about the USER/GROUP column. > > OK, how about rejecting all http/https traffic from a certain system > behind my firewall except that which is headed to a certain website? > I tried this in the rules file: > > ACCEPT loc:192.168.0.3 loc:web.site.i.p tcp 80 > ACCEPT loc:192.168.0.3 loc:web.site.i.p tcp 443
The DEST column should be "net:web.site.i.p" ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
