From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LO6qm-0006fV-FA for garchives@archives.gentoo.org; Sat, 17 Jan 2009 08:48:17 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DF454E0418; Sat, 17 Jan 2009 08:48:11 +0000 (UTC) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by pigeon.gentoo.org (Postfix) with ESMTP id 64F3FE0418 for ; Sat, 17 Jan 2009 08:48:11 +0000 (UTC) Received: by ug-out-1314.google.com with SMTP id 30so88603ugs.39 for ; Sat, 17 Jan 2009 00:48:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:message-id; bh=coCGvcs7Hq2zvj5JM1zydOD1ZUZZpYuAY0Xl3KjzyOY=; b=GnJqEu5k8xilDvcSsMsLyHTJfz3xEtxHAxj2s/IE623rI3j+lN0O+lzzQVITjdosdB RNSmb+ofWSIx5LKBnn2oGwOLglCEE0mR+3BBfjl+mWK4SRjh3Zl2nbWFtL2v62jvgbmB PkqskbaVL0ZIUIPhykZnI318yf6II2ZUR5tuk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :message-id; b=f/HK01cepbvQVcwuQ7uyIyxExH/ow5sIsyo21W5KNrdBBIbB/H01Mm1OPJaC0ATXbN vCO9FzyecCHamqTO83mG02DQdm18W37ROuQz6wkB1ILwwhg4l3oboiiQ/j6aJ2J8dItz lR43CJOzd//8sNMKncN0u6mcGdZT35b2nEiKA= Received: by 10.67.40.15 with SMTP id s15mr661030ugj.89.1232182089765; Sat, 17 Jan 2009 00:48:09 -0800 (PST) Received: from ?172.20.0.4? ([196.210.139.236]) by mx.google.com with ESMTPS id x26sm1716019ugc.9.2009.01.17.00.48.08 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 17 Jan 2009 00:48:09 -0800 (PST) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Restricting Firefox website access Date: Sat, 17 Jan 2009 10:47:04 +0200 User-Agent: KMail/1.9.10 References: <49bf44f10901071344l3f081b8dmaa6353b41fb59f4@mail.gmail.com> <20090111070536.52dece68@coercion> <49bf44f10901162134o79953e71y393c6a340c398dbe@mail.gmail.com> In-Reply-To: <49bf44f10901162134o79953e71y393c6a340c398dbe@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200901171047.05040.alan.mckinnon@gmail.com> X-Archives-Salt: 90609360-e5c7-4e51-bedc-62047dea522a X-Archives-Hash: 50841b147ad166d0737a858bd0cc952c On Saturday 17 January 2009 07:34:59 Grant wrote: > >> That sounds good, how can I do that? > > > > iptables module "owner" handles that stuff, just "man iptables" if > > you'll have any trouble. > > > > iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j > > REJECT > > I brought this to the shorewall list for config advice, but I was told: > > a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any > notion of domains. So filterinG by domain is a non-starter. > > b) When referring to packet filters, filtering by user id (e.g., root) > can only be done for connections originating from the firewall. See "man > shoreall-rules" and read about the USER/GROUP column. > > Here was my original request: > > I'd like to restrict the websites one of the computers on my network > can access in Firefox. It only needs to access 2 different domain > names and I don't want it to be able to access any others. I can > restrict it at the router if necessary because the router is a Gentoo > system. > > I think this leaves a squid proxy setup as my only option? Restrict by source AND destination IP This requires only that the computer in question has a static IP or a permanent lease (so you always know what it is), and you know the IP of the web sites to be accessed (dig is a very good friend). Allow these, deny everything else to destination port 80. -- alan dot mckinnon at gmail dot com