From 06516f33b5408573d7750e9410d639b29c89cd6c Mon Sep 17 00:00:00 2001 From: mhnoyes Date: Wed, 24 Dec 2003 19:52:47 +0000 Subject: [PATCH] Content moved to UserSets.xml git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@939 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/UserSets.html | 141 ----------------------------------- 1 file changed, 141 deletions(-) delete mode 100755 Shorewall-docs/UserSets.html diff --git a/Shorewall-docs/UserSets.html b/Shorewall-docs/UserSets.html deleted file mode 100755 index 33b457072..000000000 --- a/Shorewall-docs/UserSets.html +++ /dev/null @@ -1,141 +0,0 @@ - - - - - - - - Controlling Traffic by UID/GID - - - - - - - - - -
-

Controlling Output -Traffic by UID/GID
-

-
-This capability was added in Shorewall release -1.4.7.
-
-Netfilter provides the capability to filter packets generated on the -firewall system by User Id and/or Group Id. Shorewall provides two -separate but related ways to use this Netfilter capability:
-
    -
  1. Shorewall allows you to -define collections of users called "User Sets" -and then to restrict -certain rules in /etc/shorewall/rules to a given User Set.
    2. -
  2. Shorewall also allows you to restrict a given rule - to a particular user and/or group.
    -
    3. -
-Since only packets created by programs running on the Shorewall box -itself, only rules whose SOURCE is the firewall ($FW) may be restricted -using either of the facilities.
-

User Sets
-

-Given the way that this facility is implemented in Shorewall, it is not -possible to control logging of individual rules using a User Set and -logging is rather specified on the User Set itself.
-
-User Sets are defined in the /etc/shorewall/usersets file. Columns in -that file include:
-
-
USERSET      -      The name of a User Set. Must be a legal -shell -identifier of no more than six (6) characters in length.
-REJECT               -Log level for connections rejected for this User Set.
-ACCEPT              Log -level for connections accepted for this User Set.
-DROP               -   Log level for connections dropped for this User Set.
-
-
-In the REJECT and ACCEPT columns, if you don't want to specify a value -in the column but you want to specify a value in a following column, -you may enter "-".
-
-Users and/or groups are added to User Sets using the -/etc/shorewall/users file. Columns in that file are:
-
-
USERSET      -      The name of a User Set defined in -/etc/shorewall/usersets.
-USER               -   The name of a user defined on the system or a user number.
-GROUP               -The name of a group defined on the system or a number.
-
-

Only one of the USER and GROUP -column needs to be non-empty. If you wish to specify a GROUP but not a -USER, enter "-" in the user column.
-

-

If both USER and GROUP are -specified then only programs running under that USER:GROUP pair will -match rules specifying the User Set named in the USERSET column.
-

-

Once a user set has been defined, its name may be -placed in the USER SET column of the /etc/shorewall/rules file. IMPORTANT: -When -the name of a user set is given in the USER SET column, you may not -include a log level in the ACTION column; logging of such rules is -governed solely by the user set's definition in the -/etc/shorewall/userset file. -

-

Example: You want members of the -'admin' group and 'root' to be able to use ssh on the firewall to -connect to local systems. You want to log all connections accepted for -these users using syslog at the 'info' level.
-

-
-

/etc/shorewall/usersets

-
-
#USERSET	REJECT	ACCEPT	DROP
admins		-	info
-
-

/etc/shorewall/users
-

-
-
#USERSET	USER		GROUP
admins		-		admin
admins		root
-
/etc/shorewall/rules
-
-
#ACTION	SOURCE	DESTINATION	PROTO	PORT	SOURCE	ORIGINAL	RATE	USER
#						PORT(S)	DESTINATION		SET

ACCEPT	$FW	loc		tcp	22	-	-		-	admins
-

Restricting a rule to a particular user and/or -group
-

-In cases where you may want to restrict a rule to a particular user -and/or group, the USER SET column in the rules file may be specified as:
-
-
[ <user -name or number> ] : [ <group -name or number> ]
-

-
-
-When a user and/or group name is given in the USER SET column, it is OK -to specify a log level in the ACTION column.
-
-Example: You want user mail to -be able to send email from the firewall to the local net zone
-
-
/etc/shorewall/rules (be sure to note -the ":" in the USER SET column entry).
-
#ACTION	SOURCE	DESTINATION	PROTO	PORT	SOURCE	ORIGINAL	RATE	USER
#						PORT(S)	DESTINATION		SET

ACCEPT	$FW	loc		tcp	25	-	-		-	mail:
-
-

Last updated 9/19/2003 - Tom Eastep

-

Copyright2003 Thomas M. Eastep.

- -