From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-89215-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1LOFqg-00013w-5e
	for garchives@archives.gentoo.org; Sat, 17 Jan 2009 18:24:46 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id B2A07E01D6;
	Sat, 17 Jan 2009 18:24:43 +0000 (UTC)
Received: from mail-bw0-f21.google.com (mail-bw0-f21.google.com [209.85.218.21])
	by pigeon.gentoo.org (Postfix) with ESMTP id 4A9F0E01D6
	for <gentoo-user@lists.gentoo.org>; Sat, 17 Jan 2009 18:24:43 +0000 (UTC)
Received: by bwz14 with SMTP id 14so6181143bwz.10
        for <gentoo-user@lists.gentoo.org>; Sat, 17 Jan 2009 10:24:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=Sv6x951yeHd3jM+6xbioN311GDKPgfIPZOY4bGZsf2A=;
        b=VbftJo9m8rcL438t+ZdkJleEnYo1Puc4OFWVD15lChmzDVEskjN8zf8lu2wsj8bsBw
         5NWr0oqWaqEzf3oC/w5Owpd+28MONZFFFyvQBw3wvnbD6ATylxcaHiAxX6U/cXlNbDUQ
         BKcp2kxK/iubQJOrwDOCgUwMM3Oc/KunaECuw=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=K4kuofq4EzHYZR0Qbjp1cSTIfjN5LEWhP5+aTPmmmk8WBHr6+HEIHuKotVyApiw9GV
         AYw5p5L5Dxz6y+Ul4XzT91QEggRUqWtul0e5ai1Fp3FyYGJpVORO/Xghjq5yscfQfwBi
         bz6v3SzXa6HP5+QCsCnSK4G0vW/HYnxwNDLNo=
Received: by 10.180.222.14 with SMTP id u14mr1339645bkg.141.1232216682648;
        Sat, 17 Jan 2009 10:24:42 -0800 (PST)
Received: by 10.180.208.18 with HTTP; Sat, 17 Jan 2009 10:24:42 -0800 (PST)
Message-ID: <49bf44f10901171024q2af5ca4dvf472fd97dd292a09@mail.gmail.com>
Date: Sat, 17 Jan 2009 10:24:42 -0800
From: Grant <emailgrant@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Restricting Firefox website access
In-Reply-To: <49bf44f10901171012u3a9f05c2i591de0e29cb251cc@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <49bf44f10901071344l3f081b8dmaa6353b41fb59f4@mail.gmail.com>
	 <20090111070536.52dece68@coercion>
	 <49bf44f10901162134o79953e71y393c6a340c398dbe@mail.gmail.com>
	 <200901171047.05040.alan.mckinnon@gmail.com>
	 <49bf44f10901171012u3a9f05c2i591de0e29cb251cc@mail.gmail.com>
X-Archives-Salt: 7965c30e-cab5-4264-8c1f-d27beb73e96d
X-Archives-Hash: f8ef786d331f04b6a8bac8dc8eb43681

>>> >> That sounds good, how can I do that?
>>> >
>>> > iptables module "owner" handles that stuff, just "man iptables" if
>>> > you'll have any trouble.
>>> >
>>> >  iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j
>>> > REJECT
>>>
>>> I brought this to the shorewall list for config advice, but I was told:
>>>
>>> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any
>>> notion of domains. So filterinG by domain is a non-starter.
>>>
>>> b) When referring to packet filters, filtering by user id (e.g., root)
>>> can only be done for connections originating from the firewall. See "man
>>> shoreall-rules" and read about the USER/GROUP column.
>>>
>>> Here was my original request:
>>>
>>> I'd like to restrict the websites one of the computers on my network
>>> can access in Firefox.  It only needs to access 2 different domain
>>> names and I don't want it to be able to access any others.  I can
>>> restrict it at the router if necessary because the router is a Gentoo
>>> system.
>>>
>>> I think this leaves a squid proxy setup as my only option?
>>
>> Restrict by source AND destination IP
>>
>> This requires only that the computer in question has a static IP or a
>> permanent lease (so you always know what it is), and you know the IP of the
>> web sites to be accessed (dig is a very good friend). Allow these, deny
>> everything else to destination port 80.
>
> That sounds good, but I won't be able to fetch all updates that
> portage might want, right?
>
> - Grant

But I could install a wide-open firewall on the system-to-restrict and
use that firewall to restrict website access instead of the router's
firewall.  That way I could consider the user (root, non-root) when
deciding whether or not to allow the 80/443 outbound connection since:

"When referring to packet filters, filtering by user id (e.g., root)
can only be done for connections originating from the firewall."

That should restrict website access and allow portage to do its thing.

- Grant