diff --git a/Shorewall-docs/UserSets.xml b/Shorewall-docs/UserSets.xml new file mode 100644 index 000000000..b4ba9266d --- /dev/null +++ b/Shorewall-docs/UserSets.xml @@ -0,0 +1,207 @@ + + +
+ + Controlling Output Traffic by UID/GID + + + + Tom + + Eastep + + + + 2003-09-19 + + + 2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + + + +
+ Overview + + This capability was added in Shorewall release 1.4.7. + + Netfilter provides the capability to filter packets generated on the + firewall system by User Id and/or Group Id. Shorewall provides two + separate but related ways to use this Netfilter capability: + + + + Shorewall allows you to define collections of users called "User Sets" and then to restrict certain + rules in /etc/shorewall/rules to a given User Set. + + + + Shorewall also allows you to restrict a given rule to a particular user and/or group. + + + + Since only packets created by programs running on the Shorewall box + itself, only rules whose SOURCE is the firewall ($FW) may be restricted + using either of the facilities. +
+ +
+ User Sets + + Given the way that this facility is implemented in Shorewall, it is + not possible to control logging of individual rules using a User Set and + logging is rather specified on the User Set itself. + + User Sets are defined in the /etc/shorewall/usersets file. Columns + in that file include: + + + + USERSET + + + The name of a User Set. Must be a legal shell identifier of no + more than six (6) characters in length. + + + + + REJECT + + + Log level for connections rejected for this User Set. + + + + + ACCEPT + + + Log level for connections accepted for this User Set. + + + + + DROP + + + Log level for connections dropped for this User Set. + + + + + In the REJECT and ACCEPT columns, if you don't want to specify a + value in the column but you want to specify a value in a following column, + you may enter "-". + + Users and/or groups are added to User Sets using the + /etc/shorewall/users file. Columns in that file are: + + + + USERSET + + + The name of a User Set defined in /etc/shorewall/usersets. + + + + + USER + + + The name of a user defined on the system or a user number. + + + + + GROUP + + + The name of a group defined on the system or a number. + + + + + Only one of the USER and GROUP column needs to be non-empty. If you + wish to specify a GROUP but not a USER, enter "-" in the user + column. + + If both USER and GROUP are specified then only programs running + under that USER:GROUP pair will match rules specifying the User Set named + in the USERSET column. + + Once a user set has been defined, its name may be placed in the USER + SET column of the /etc/shorewall/rules file. + + + When the name of a user set is given in the USER SET column, you + may not include a log level in the ACTION column; logging of such rules + is governed solely by the user set's definition in the + /etc/shorewall/userset file. + + + + You want members of the 'admin' group and 'root' + to be able to use ssh on the firewall to connect to local systems. You + want to log all connections accepted for these users using syslog at the + 'info' level. + + /etc/shorewall/usersets + + #USERSET REJECT ACCEPT DROP +admins - info + + /etc/shorewall/users + + #USERSET USER GROUP +admins - admin +admins root + + /etc/shorewall/rules + + #ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER +# PORT(S) DESTINATION SET + +ACCEPT $FW loc tcp 22 - - - admins + +
+ +
+ Restricting a rule to a particular user and/or group + + In cases where you may want to restrict a rule to a particular user + and/or group, the USER SET column in the rules file may be specified as: + + [ <user name or number> ] : [ <group name or number> ] + + When a user and/or group name is given in the USER SET column, it is + OK to specify a log level in the ACTION column. + + + You want user <emphasis role="bold">mail</emphasis> to be able to + send email from the firewall to the local net zone + + /etc/shorewall/rules (be sure to note the ":" in the USER + SET column entry). + + #ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER +# PORT(S) DESTINATION SET + +ACCEPT $FW loc tcp 25 - - - mail: + +
+
\ No newline at end of file