Controlling Output Traffic by UID/GID
This capability was added in Shorewall release 1.4.7.

Netfilter provides the capability to filter packets generated on the firewall system by User Id and/or Group Id. Shorewall provides two separate but related ways to use this Netfilter capability:
  1. Shorewall allows you to define collections of users called "User Sets" and then to restrict certain rules in /etc/shorewall/rules to a given User Set.
  2. Shorewall also allows you to restrict a given rule to a particular user and/or group.
Since only packets created by programs running on the Shorewall box itself, only rules whose SOURCE is the firewall ($FW) may be restricted using either of the facilities.

User Sets

Given the way that this facility is implemented in Shorewall, it is not possible to control logging of individual rules using a User Set and logging is rather specified on the User Set itself.

User Sets are defined in the /etc/shorewall/usersets file. Columns in that file include:

USERSET            The name of a User Set. Must be a legal shell identifier of no more than six (6) characters in length.
REJECT               Log level for connections rejected for this User Set.
ACCEPT              Log level for connections accepted for this User Set.
DROP                  Log level for connections dropped for this User Set.

In the REJECT and ACCEPT columns, if you don't want to specify a value in the column but you want to specify a value in a following column, you may enter "-".

Users and/or groups are added to User Sets using the /etc/shorewall/users file. Columns in that file are:

USERSET            The name of a User Set defined in /etc/shorewall/usersets.
USER                  The name of a user defined on the system or a user number.
GROUP               The name of a group defined on the system or a number.

Only one of the USER and GROUP column needs to be non-empty. If you wish to specify a GROUP but not a USER, enter "-" in the user column.

If both USER and GROUP are specified then only programs running under that USER:GROUP pair will match rules specifying the User Set named in the USERSET column.

Once a user set has been defined, its name may be placed in the USER SET column of the /etc/shorewall/rules file. IMPORTANT: When the name of a user set is given in the USER SET column, you may not include a log level in the ACTION column; logging of such rules is governed solely by the user set's definition in the /etc/shorewall/userset file.

Example: You want members of the 'admin' group and 'root' to be able to use ssh on the firewall to connect to local systems. You want to log all connections accepted for these users using syslog at the 'info' level.

/etc/shorewall/usersets

#USERSET	REJECT	ACCEPT	DROP
admins		-	info

/etc/shorewall/users

#USERSET	USER		GROUP
admins		-		admin
admins		root
/etc/shorewall/rules
#ACTION	SOURCE	DESTINATION	PROTO	PORT	SOURCE	ORIGINAL	RATE	USER
#						PORT(S)	DESTINATION		SET

ACCEPT	$FW	loc		tcp	22	-	-		-	admins

Restricting a rule to a particular user and/or group

In cases where you may want to restrict a rule to a particular user and/or group, the USER SET column in the rules file may be specified as:

[ <user name or number> ] : [ <group name or number> ]

When a user and/or group name is given in the USER SET column, it is OK to specify a log level in the ACTION column.

Example: You want user mail to be able to send email from the firewall to the local net zone

/etc/shorewall/rules (be sure to note the ":" in the USER SET column entry).
#ACTION	SOURCE	DESTINATION	PROTO	PORT	SOURCE	ORIGINAL	RATE	USER
#						PORT(S)	DESTINATION		SET

ACCEPT	$FW	loc		tcp	25	-	-		-	mail:

Last updated 9/19/2003 - Tom Eastep

Copyright © 2003 Thomas M. Eastep.