Hi All, I''m using shorewall 4.0.15-1 on debian 5.0.5 and It works fine. I want to start using rules based on users. This is supported in the shorewall-rules file, However it seems that each rule can only be associated with one user or group. Does this mean that I cannot have a rule apply to several users which belong to several groups? Will creating duplicate rules for each user work? Thanks Shai ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
I am very interested in this thread - I was not aware that this was supported (laziness on my behalf, I guess). Can you give an example of user rule ? How does the user authenticate? LDAP support for users/groups would be ideal. Thanks On Thu, Dec 2, 2010 at 9:24 AM, Shai Ayal <shaia@biocontrol.co.il> wrote:> Hi All, > > I''m using shorewall 4.0.15-1 on debian 5.0.5 and It works fine. > > I want to start using rules based on users. This is supported in the > shorewall-rules file, However it seems that each rule can only be > associated with one user or group. > > Does this mean that I cannot have a rule apply to several users which > belong to several groups? > > Will creating duplicate rules for each user work? > > Thanks > Shai > > ------------------------------------------------------------------------------ > Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! > Tap into the largest installed PC base & get more eyes on your game by > optimizing for Intel(R) Graphics Technology. Get started today with the > Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. > http://p.sf.net/sfu/intelisp-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Scott Ryan http://bonoboslr.wordpress.com/ ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
On 12/02/2010 10:56 AM, Scott Ryan wrote:> I am very interested in this thread - I was not aware that this was > supported (laziness on my behalf, I guess). > Can you give an example of user rule ? How does the user authenticate? > LDAP support for users/groups would be ideal. >I think you did not hear of this because this feature is quite limited: It only works for connections originating from the firewall. Users authenticate to the firewall using whatever is configured in the firewall, so LDAP is a possibility. Shai ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
Scott Ryan wrote:>I am very interested in this thread - I was not aware that this was >supported (laziness on my behalf, I guess). >Can you give an example of user rule ? How does the user authenticate? >LDAP support for users/groups would be ideal.Extract from ''man shorewall-rules'' :> USER/GROUP (Optional) - [!][user-name-or-number] > [:group-name-or-number][+program-name] > This column may only be non-empty if the SOURCE > is the firewall itself. > > When this column is non-empty, the rule applies only > if the program generating the output is running under > the effective user and/or group specified (or is NOT > running under that id if "!" is given). > > Examples: > > joe > program must be run by joe > > :kids > program must be run by a member of the ?kids? group > > !:kids > program must not be run by a member of the ?kids? group > > +upnpd > #program named upnpd > > Important > The ability to specify a program name was removed from > Netfilter in kernel version 2.6.14.As Shai says, this only applies to connections originating from programs running on the firewall itself - this is the ONLY time the Netfilter programs have any concept of "user" in relation to packets being passed. For any other traffic, you would have to use a proxy on the firewall AND arrange that all packets it forwarded were done in a suitable user context. I''m not aware of any proxy that would support that, and to do it in one thread would (I imagine) create an awful lot of context switches as the proxy switched users to send packets - or it would have to spawn a thread for each user and route all packets through the appropriate thread. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
On Thu, Dec 2, 2010 at 4:33 AM, Simon Hobson <linux@thehobsons.co.uk> wrote:> Scott Ryan wrote: >>I am very interested in this thread - I was not aware that this was >>supported (laziness on my behalf, I guess). >>Can you give an example of user rule ?I use it to allow a few very trusted users to create ssh tunnels using the firewall (a backup in case our VPN server fails): # Allows SSH tunneling ACCEPT $FW loc - - - - - admina ACCEPT $FW loc - - - - - adminb ACCEPT $FW loc - - - - - root Brad C ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev