On Fri, Dec 16, 2022 at 01:27:15PM +0000, Mark Dixon wrote:
> Hi all,
> 
> I'm having a play with shorewall rules, specifically using the USER column
> to restrict access to a local port. If I have a rule like this...
> 
>   DROP:info fw fw tcp 1332 - - - !foo - - - - - -
> 
> ...then only local user foo can connect to 1332/tcp on the server's normal
> IP address. However, the rule isn't matched if they try the loopback address
> instead. This isn't quite what I wanted!
> 
> I tried creating a zone of type loopback with appropriate policies and
> rules, but shorewall aborted with:
> 
>   ERROR: USER/GROUP may only be specified when the SOURCE zone is $FW 
> /etc/shorewall/rules

That limitation isn't due to shorewall but rather networking in general.
You can't know and certainly couldn't trust the username from a remote
system (like "identd"), and loopback has the same limitation.

> Any ideas on how to handle this in shorewall, short of fiddling with the
> application to make sure it doesn't bind to the loopback interface, please?

You could drop packets directed to fw:1332

-- 
Justin


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to