[Firehol-support] Blocking outgoing request based on user + IP/host restriction

marcus at quintic.co.uk marcus at quintic.co.uk
Mon Jul 26 15:35:00 BST 2010

Hi -

I've had a lot of success blocking all outgoing client requests from the 
apache user (www-data) using firehol. I have the following line in my 
firehol conf:

client all accept user not www-data

This blocks all outgoing requests from things like PHP code etc.

Whilst I like this setup, its a little too restrictive and I'd like to 
open it up to allow access to a few api hosts (paypal for instance). I 
thought just adding the following line above the www-data restriction 
would do this:

client all accept dst "www.paypal.com DNSIP1 DNSIP2"
client all accept user not www-data

So I was expecting this to allow all requests to my DNS hosts and paypal 
(even if they are from the www-data user), but block all other requests 
from the www-data user. It doesnt appear to do this though.

Is there an easy way to do what I want?



More information about the Firehol-support mailing list