On Fri, Dec 16, 2022 at 01:27:15PM +0000, Mark Dixon wrote: > Hi all, > > I'm having a play with shorewall rules, specifically using the USER column > to restrict access to a local port. If I have a rule like this... > > DROP:info fw fw tcp 1332 - - - !foo - - - - - - > > ...then only local user foo can connect to 1332/tcp on the server's normal > IP address. However, the rule isn't matched if they try the loopback address > instead. This isn't quite what I wanted! > > I tried creating a zone of type loopback with appropriate policies and > rules, but shorewall aborted with: > > ERROR: USER/GROUP may only be specified when the SOURCE zone is $FW > /etc/shorewall/rules
That limitation isn't due to shorewall but rather networking in general. You can't know and certainly couldn't trust the username from a remote system (like "identd"), and loopback has the same limitation. > Any ideas on how to handle this in shorewall, short of fiddling with the > application to make sure it doesn't bind to the loopback interface, please? You could drop packets directed to fw:1332 -- Justin _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users