From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LOFeT-0008GY-EY for garchives@archives.gentoo.org; Sat, 17 Jan 2009 18:12:09 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2B969E032A; Sat, 17 Jan 2009 18:12:07 +0000 (UTC) Received: from mail-bw0-f21.google.com (mail-bw0-f21.google.com [209.85.218.21]) by pigeon.gentoo.org (Postfix) with ESMTP id BFD7FE032A for ; Sat, 17 Jan 2009 18:12:06 +0000 (UTC) Received: by bwz14 with SMTP id 14so6172657bwz.10 for ; Sat, 17 Jan 2009 10:12:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=VCuwysrrSZBgPXkZcZIkzd4q4lYsjDJLUZ6sqFpXWdQ=; b=PK6CIiuS1Zl6Y9Te+rbREfiOwPuAnTjjU9kneqqQAIgFX0x9ANztkAMH4aPwB+0dcK XXyLRqcC3UnfZdoaUb7VclP48JtozCPbkJR1bKhkyTwWQVFZC+EDulQyfjPSoi2yU3XZ g9FOuFp2qkdWpmOIuQBAd8CwxVtDLQIKr2K1I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=LyULzsKBgQeHZ9ZcYGxJjF5LTz8TfbwO+ahMmN2wo9F0UshYSI71EaQdMHk0b7i+/p 48T+j2uUMpMsHXeo3wMYf7Hz7RdmFWKVxi9/iT8SM7TGBvhTX5JkiUt/Kvnhv6IAMkyj 1fF2pRSwRG3xAzeHPvT04FX14G/5sCffomu8k= Received: by 10.180.242.5 with SMTP id p5mr1332747bkh.178.1232215926094; Sat, 17 Jan 2009 10:12:06 -0800 (PST) Received: by 10.180.208.18 with HTTP; Sat, 17 Jan 2009 10:12:06 -0800 (PST) Message-ID: <49bf44f10901171012u3a9f05c2i591de0e29cb251cc@mail.gmail.com> Date: Sat, 17 Jan 2009 10:12:06 -0800 From: Grant To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Restricting Firefox website access In-Reply-To: <200901171047.05040.alan.mckinnon@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <49bf44f10901071344l3f081b8dmaa6353b41fb59f4@mail.gmail.com> <20090111070536.52dece68@coercion> <49bf44f10901162134o79953e71y393c6a340c398dbe@mail.gmail.com> <200901171047.05040.alan.mckinnon@gmail.com> X-Archives-Salt: 302bedf2-7aa2-4d19-8f89-4b5fb3c6f588 X-Archives-Hash: e74e12b9f901bcdf4b7c10bd7c12315e >> >> That sounds good, how can I do that? >> > >> > iptables module "owner" handles that stuff, just "man iptables" if >> > you'll have any trouble. >> > >> > iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j >> > REJECT >> >> I brought this to the shorewall list for config advice, but I was told: >> >> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any >> notion of domains. So filterinG by domain is a non-starter. >> >> b) When referring to packet filters, filtering by user id (e.g., root) >> can only be done for connections originating from the firewall. See "man >> shoreall-rules" and read about the USER/GROUP column. >> >> Here was my original request: >> >> I'd like to restrict the websites one of the computers on my network >> can access in Firefox. It only needs to access 2 different domain >> names and I don't want it to be able to access any others. I can >> restrict it at the router if necessary because the router is a Gentoo >> system. >> >> I think this leaves a squid proxy setup as my only option? > > Restrict by source AND destination IP > > This requires only that the computer in question has a static IP or a > permanent lease (so you always know what it is), and you know the IP of the > web sites to be accessed (dig is a very good friend). Allow these, deny > everything else to destination port 80. That sounds good, but I won't be able to fetch all updates that portage might want, right? - Grant