[Firehol-support] Blocking outgoing request based on user + IP/host restriction
marcus at quintic.co.uk
marcus at quintic.co.uk
Mon Jul 26 15:35:00 BST 2010
Hi -
I've had a lot of success blocking all outgoing client requests from the
apache user (www-data) using firehol. I have the following line in my
firehol conf:
client all accept user not www-data
This blocks all outgoing requests from things like PHP code etc.
Whilst I like this setup, its a little too restrictive and I'd like to
open it up to allow access to a few api hosts (paypal for instance). I
thought just adding the following line above the www-data restriction
would do this:
client all accept dst "www.paypal.com DNSIP1 DNSIP2"
client all accept user not www-data
So I was expecting this to allow all requests to my DNS hosts and paypal
(even if they are from the www-data user), but block all other requests
from the www-data user. It doesnt appear to do this though.
Is there an easy way to do what I want?
Thanks
Marcus
More information about the Firehol-support
mailing list