Controlling Output Traffic by UID/GIDTomEastep2003-09-192003Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".OverviewThis capability was added in Shorewall release 1.4.7.Netfilter provides the capability to filter packets generated on the
firewall system by User Id and/or Group Id. Shorewall provides two
separate but related ways to use this Netfilter capability:Shorewall allows you to define collections of users called "User Sets" and then to restrict certain
rules in /etc/shorewall/rules to a given User Set.Shorewall also allows you to restrict a given rule to a particular user and/or group.Since only packets created by programs running on the Shorewall box
itself, only rules whose SOURCE is the firewall ($FW) may be restricted
using either of the facilities.User SetsGiven the way that this facility is implemented in Shorewall, it is
not possible to control logging of individual rules using a User Set and
logging is rather specified on the User Set itself.User Sets are defined in the /etc/shorewall/usersets file. Columns
in that file include:USERSETThe name of a User Set. Must be a legal shell identifier of no
more than six (6) characters in length.REJECTLog level for connections rejected for this User Set.ACCEPTLog level for connections accepted for this User Set.DROPLog level for connections dropped for this User Set.In the REJECT and ACCEPT columns, if you don't want to specify a
value in the column but you want to specify a value in a following column,
you may enter "-".Users and/or groups are added to User Sets using the
/etc/shorewall/users file. Columns in that file are:USERSETThe name of a User Set defined in /etc/shorewall/usersets.USERThe name of a user defined on the system or a user number.GROUPThe name of a group defined on the system or a number.Only one of the USER and GROUP column needs to be non-empty. If you
wish to specify a GROUP but not a USER, enter "-" in the user
column.If both USER and GROUP are specified then only programs running
under that USER:GROUP pair will match rules specifying the User Set named
in the USERSET column.Once a user set has been defined, its name may be placed in the USER
SET column of the /etc/shorewall/rules file.When the name of a user set is given in the USER SET column, you
may not include a log level in the ACTION column; logging of such rules
is governed solely by the user set's definition in the
/etc/shorewall/userset file. You want members of the 'admin' group and 'root'
to be able to use ssh on the firewall to connect to local systems. You
want to log all connections accepted for these users using syslog at the
'info' level./etc/shorewall/usersets#USERSET REJECT ACCEPT DROP
admins - info/etc/shorewall/users#USERSET USER GROUP
admins - admin
admins root/etc/shorewall/rules#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER
# PORT(S) DESTINATION SET
ACCEPT $FW loc tcp 22 - - - adminsRestricting a rule to a particular user and/or groupIn cases where you may want to restrict a rule to a particular user
and/or group, the USER SET column in the rules file may be specified as:[ <user name or number> ] : [ <group name or number> ]When a user and/or group name is given in the USER SET column, it is
OK to specify a log level in the ACTION column. You want user mail to be able to
send email from the firewall to the local net zone/etc/shorewall/rules (be sure to note the ":" in the USER
SET column entry).#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER
# PORT(S) DESTINATION SET
ACCEPT $FW loc tcp 25 - - - mail: