[Firehol-support] Problems with "uid" rule parameter
Philipp Richter
philipp at ist.org
Wed Mar 25 16:57:07 CET 2009
Hi,
I'm trying to use the "uid" rule parameter, but without success so far.
I am doing something like this (The example 2 in the Documentation for
"uid"):
version 5
interface eth0 inet src not "$UNROUTABLE_IPS"
protection strong
server http accept user www-data
...
This does not work. The outgoing SYN/ACK-Packet is blocked by the
Firewall. Turning debugging output on reveals the reason for this:
FIREHOL_LOG_OPTIONS="--log-uid"
interface ...
server http accept log "DBG_HTTP"
Mar 25 15:46:20 dropzone kernel: [2787202.549682] 'FIREHOL:
DBG_HTTP:'IN= OUT=eth0 SRC=212.69.161.119 DST=212.69.161.120 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=51064 WINDOW=5792
RES=0x00 ACK SYN URGP=0 UID=0 GID=0
It seems, the SYN/ACK Packet is sent as User root (UID=0), so this
Packet is blocked. On later Packets from that Connection the UID is set
correctly (UID=33 in my case):
Mar 25 15:46:20 dropzone kernel: [2787202.549682] 'FIREHOL:
DBG_HTTP:'IN= OUT=eth0 SRC=212.69.161.119 DST=212.69.161.120 LEN=647
TOS=0x00 PREC=0x00 TTL=64 ID=47530 DF PROTO=TCP SPT=80 DPT=51064
WINDOW=91 RES=0x00 ACK PSH URGP=0 UID=33 GID=33
This machine runs Debian Etch with the Debian Stock Kernel (2.6.26-1-686)
Cheers,
Philipp
More information about the Firehol-support
mailing list