Controlling Output Traffic by UID/GID Tom Eastep 2003-09-19 2003 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
Overview This capability was added in Shorewall release 1.4.7. Netfilter provides the capability to filter packets generated on the firewall system by User Id and/or Group Id. Shorewall provides two separate but related ways to use this Netfilter capability: Shorewall allows you to define collections of users called "User Sets" and then to restrict certain rules in /etc/shorewall/rules to a given User Set. Shorewall also allows you to restrict a given rule to a particular user and/or group. Since only packets created by programs running on the Shorewall box itself, only rules whose SOURCE is the firewall ($FW) may be restricted using either of the facilities.
User Sets Given the way that this facility is implemented in Shorewall, it is not possible to control logging of individual rules using a User Set and logging is rather specified on the User Set itself. User Sets are defined in the /etc/shorewall/usersets file. Columns in that file include: USERSET The name of a User Set. Must be a legal shell identifier of no more than six (6) characters in length. REJECT Log level for connections rejected for this User Set. ACCEPT Log level for connections accepted for this User Set. DROP Log level for connections dropped for this User Set. In the REJECT and ACCEPT columns, if you don't want to specify a value in the column but you want to specify a value in a following column, you may enter "-". Users and/or groups are added to User Sets using the /etc/shorewall/users file. Columns in that file are: USERSET The name of a User Set defined in /etc/shorewall/usersets. USER The name of a user defined on the system or a user number. GROUP The name of a group defined on the system or a number. Only one of the USER and GROUP column needs to be non-empty. If you wish to specify a GROUP but not a USER, enter "-" in the user column. If both USER and GROUP are specified then only programs running under that USER:GROUP pair will match rules specifying the User Set named in the USERSET column. Once a user set has been defined, its name may be placed in the USER SET column of the /etc/shorewall/rules file. When the name of a user set is given in the USER SET column, you may not include a log level in the ACTION column; logging of such rules is governed solely by the user set's definition in the /etc/shorewall/userset file. You want members of the 'admin' group and 'root' to be able to use ssh on the firewall to connect to local systems. You want to log all connections accepted for these users using syslog at the 'info' level. /etc/shorewall/usersets #USERSET REJECT ACCEPT DROP admins - info /etc/shorewall/users #USERSET USER GROUP admins - admin admins root /etc/shorewall/rules #ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER # PORT(S) DESTINATION SET ACCEPT $FW loc tcp 22 - - - admins
Restricting a rule to a particular user and/or group In cases where you may want to restrict a rule to a particular user and/or group, the USER SET column in the rules file may be specified as: [ <user name or number> ] : [ <group name or number> ] When a user and/or group name is given in the USER SET column, it is OK to specify a log level in the ACTION column. You want user <emphasis role="bold">mail</emphasis> to be able to send email from the firewall to the local net zone /etc/shorewall/rules (be sure to note the ":" in the USER SET column entry). #ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER # PORT(S) DESTINATION SET ACCEPT $FW loc tcp 25 - - - mail: