Shorewall users - Jan 2009 - Block port 80 & 443 non-approved domains for non-root

I''d like to block port 80 and 443 traffic to a certain system on my
network if the domain isn''t one of the two approved domains and the
user isn''t root.  Does anyone know how to do this in shorewall? 
I''m
told it is done along these lines, but I''ve never used iptables
directly:

iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT

- Grant

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

Grant wrote:
> I''d like to block port 80 and 443 traffic to a certain system on
my
> network if the domain isn''t one of the two approved domains and
the
> user isn''t root.  Does anyone know how to do this in shorewall? 
I''m
> told it is done along these lines, but I''ve never used iptables
> directly:
> 
> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
REJECT
You are mis-informed.

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

Shorewall Guy wrote:
> Grant wrote:
>> I''d like to block port 80 and 443 traffic to a certain system
on my
>> network if the domain isn''t one of the two approved domains
and the
>> user isn''t root.  Does anyone know how to do this in
shorewall?  I''m
>> told it is done along these lines, but I''ve never used
iptables
>> directly:
>>
>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
REJECT
> 
> You are mis-informed.
What you are asking isn''t possible to accomplish with a packet filter.


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

>>> I''d like to block port 80 and 443 traffic to a certain
system on my
>>> network if the domain isn''t one of the two approved
domains and the
>>> user isn''t root.  Does anyone know how to do this in
shorewall?  I''m
>>> told it is done along these lines, but I''ve never used
iptables
>>> directly:
>>>
>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport
http -j REJECT
>>
>> You are mis-informed.
>
> What you are asking isn''t possible to accomplish with a packet
filter.
Is there any way to limit a system''s website access to two domains
with shorewall?  I wanted to allow http access to root for downloading
new packages via Portage, but it sounds like I won''t be able to do
that.

- Grant

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

Grant wrote:
>>>> I''d like to block port 80 and 443 traffic to a certain
system on my
>>>> network if the domain isn''t one of the two approved
domains and the
>>>> user isn''t root.  Does anyone know how to do this in
shorewall?  I''m
>>>> told it is done along these lines, but I''ve never used
iptables
>>>> directly:
>>>>
>>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport
http -j REJECT
>>> You are mis-informed.
>> What you are asking isn''t possible to accomplish with a packet
filter.
> 
> Is there any way to limit a system''s website access to two domains
> with shorewall?  I wanted to allow http access to root for downloading
> new packages via Portage, but it sounds like I won''t be able to do
> that.
Grant -- We really have no idea of what you are trying to do. Your
questions don''t indicate where the clients are, relative to the
fireall,
and where the servers are. So I have been answering your questions based
on the following principles:

a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
notion of domains. So filterinG by domain is a non-starter.

b) When referring to packet filters, filtering by user id (e.g., root)
can only be done for connections originating from the firewall. See "man
shoreall-rules" and read about the USER/GROUP column.

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

>>>>> I''d like to block port 80 and 443 traffic to a
certain system on my
>>>>> network if the domain isn''t one of the two
approved domains and the
>>>>> user isn''t root.  Does anyone know how to do this
in shorewall?  I''m
>>>>> told it is done along these lines, but I''ve never
used iptables
>>>>> directly:
>>>>>
>>>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp
--dport http -j REJECT
>>>> You are mis-informed.
>>> What you are asking isn''t possible to accomplish with a
packet filter.
>>
>> Is there any way to limit a system''s website access to two
domains
>> with shorewall?  I wanted to allow http access to root for downloading
>> new packages via Portage, but it sounds like I won''t be able
to do
>> that.
>
> Grant -- We really have no idea of what you are trying to do. Your
> questions don''t indicate where the clients are, relative to the
fireall,
> and where the servers are. So I have been answering your questions based
> on the following principles:
>
> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
> notion of domains. So filterinG by domain is a non-starter.
>
> b) When referring to packet filters, filtering by user id (e.g., root)
> can only be done for connections originating from the firewall. See
"man
> shoreall-rules" and read about the USER/GROUP column.
OK, how about rejecting all http/https traffic from a certain system
behind my firewall except that which is headed to a certain website?
I tried this in the rules file:

ACCEPT  loc:192.168.0.3 loc:web.site.i.p       tcp     80
ACCEPT  loc:192.168.0.3 loc:web.site.i.p       tcp     443
REJECT  loc:192.168.0.3 net     tcp     80
REJECT  loc:192.168.0.3 net     tcp     443

but it also blocks requests to web.site.i.p.  What is the correct way
to do this?

- Grant

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

>>>>> I''d like to block port 80 and 443 traffic to a
certain system on my
>>>>> network if the domain isn''t one of the two
approved domains and the
>>>>> user isn''t root.  Does anyone know how to do this
in shorewall?  I''m
>>>>> told it is done along these lines, but I''ve never
used iptables
>>>>> directly:
>>>>>
>>>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp
--dport http -j REJECT
>>>> You are mis-informed.
>>> What you are asking isn''t possible to accomplish with a
packet filter.
>>
>> Is there any way to limit a system''s website access to two
domains
>> with shorewall?  I wanted to allow http access to root for downloading
>> new packages via Portage, but it sounds like I won''t be able
to do
>> that.
>
> Grant -- We really have no idea of what you are trying to do. Your
> questions don''t indicate where the clients are, relative to the
fireall,
> and where the servers are. So I have been answering your questions based
> on the following principles:
>
> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
> notion of domains. So filterinG by domain is a non-starter.
IP would be fine.
> b) When referring to packet filters, filtering by user id (e.g., root)
> can only be done for connections originating from the firewall. See
"man
> shoreall-rules" and read about the USER/GROUP column.
Could I install shorewall on the system I want to restrict and leave
it wide open except for blocking port 80 & 443 for non-approved IPs
for non-root?

- Grant

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

Grant wrote:
>>>>>> I''d like to block port 80 and 443 traffic to a
certain system on my
>>>>>> network if the domain isn''t one of the two
approved domains and the
>>>>>> user isn''t root.  Does anyone know how to do
this in shorewall?  I''m
>>>>>> told it is done along these lines, but I''ve
never used iptables
>>>>>> directly:
>>>>>>
>>>>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp
--dport http -j REJECT
>>>>> You are mis-informed.
>>>> What you are asking isn''t possible to accomplish with
a packet filter.
>>> Is there any way to limit a system''s website access to two
domains
>>> with shorewall?  I wanted to allow http access to root for
downloading
>>> new packages via Portage, but it sounds like I won''t be
able to do
>>> that.
>> Grant -- We really have no idea of what you are trying to do. Your
>> questions don''t indicate where the clients are, relative to
the fireall,
>> and where the servers are. So I have been answering your questions
based
>> on the following principles:
>>
>> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
>> notion of domains. So filterinG by domain is a non-starter.
>>
>> b) When referring to packet filters, filtering by user id (e.g., root)
>> can only be done for connections originating from the firewall. See
"man
>> shoreall-rules" and read about the USER/GROUP column.
> 
> OK, how about rejecting all http/https traffic from a certain system
> behind my firewall except that which is headed to a certain website?
> I tried this in the rules file:
> 
> ACCEPT  loc:192.168.0.3 loc:web.site.i.p       tcp     80
> ACCEPT  loc:192.168.0.3 loc:web.site.i.p       tcp     443
The DEST column should be "net:web.site.i.p"


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

>>>>>>> I''d like to block port 80 and 443 traffic
to a certain system on my
>>>>>>> network if the domain isn''t one of the two
approved domains and the
>>>>>>> user isn''t root.  Does anyone know how to
do this in shorewall?  I''m
>>>>>>> told it is done along these lines, but
I''ve never used iptables
>>>>>>> directly:
>>>>>>>
>>>>>>> iptables -A OUTPUT -m owner --uid-owner someuser -m
tcp --dport http -j REJECT
>>>>>> You are mis-informed.
>>>>> What you are asking isn''t possible to accomplish
with a packet filter.
>>>> Is there any way to limit a system''s website access to
two domains
>>>> with shorewall?  I wanted to allow http access to root for
downloading
>>>> new packages via Portage, but it sounds like I won''t
be able to do
>>>> that.
>>> Grant -- We really have no idea of what you are trying to do. Your
>>> questions don''t indicate where the clients are, relative
to the fireall,
>>> and where the servers are. So I have been answering your questions
based
>>> on the following principles:
>>>
>>> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
>>> notion of domains. So filterinG by domain is a non-starter.
>>>
>>> b) When referring to packet filters, filtering by user id (e.g.,
root)
>>> can only be done for connections originating from the firewall. See
"man
>>> shoreall-rules" and read about the USER/GROUP column.
>>
>> OK, how about rejecting all http/https traffic from a certain system
>> behind my firewall except that which is headed to a certain website?
>> I tried this in the rules file:
>>
>> ACCEPT  loc:192.168.0.3 loc:web.site.i.p       tcp     80
>> ACCEPT  loc:192.168.0.3 loc:web.site.i.p       tcp     443
>
> The DEST column should be "net:web.site.i.p"
I''m sorry, I was thinking loc=location instead of local.  Thanks a lot.

- Grant

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword