[Firehol-support] Blocking outgoing on user

Marcus Williams marcus at quintic.co.uk
Tue May 3 11:18:17 BST 2005


Hi -

Currently at the end of my server firehol script I have:

client all accept

Not good. So what I'm doing is gradually moving away from this and
blocking outgoing services based on the user. The first thing I tried was:

client all accept user not www-data

... which I hoped would block outgoing connections by the apache user,
which in turn should stop/hinder the kiddies downloading their toys.

Unfortunately this produces errors, as does:

client all accept uid not 33

The errors are (1-5 are pretty much the same):

> ERROR   : # 1.
> WHAT    : A runtime command failed to execute (returned error 1).
> SOURCE  : line 31 of /etc/firehol/firehol.conf
> COMMAND : /sbin/iptables -t filter -A out_internet_all_c13.1 -m owner --uid-owner 33 -j RETURN
> OUTPUT  :
> 
> iptables: No chain/target/match by that name

Do I need something enabled in the kernel for this? This is firehol
v1.231-1 (debian package versioning).

Thanks

Marcus

-- 
Marcus Williams -- http://www.cad-schroer.co.uk
CAD Schroer UK, 39 Newnham Road, Cambridge, UK




More information about the Firehol-support mailing list