>>> >> That sounds good, how can I do that? >>> > >>> > iptables module "owner" handles that stuff, just "man iptables" if >>> > you'll have any trouble. >>> > >>> > iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j >>> > REJECT >>> >>> I brought this to the shorewall list for config advice, but I was told: >>> >>> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any >>> notion of domains. So filterinG by domain is a non-starter. >>> >>> b) When referring to packet filters, filtering by user id (e.g., root) >>> can only be done for connections originating from the firewall. See "man >>> shoreall-rules" and read about the USER/GROUP column. >>> >>> Here was my original request: >>> >>> I'd like to restrict the websites one of the computers on my network >>> can access in Firefox. It only needs to access 2 different domain >>> names and I don't want it to be able to access any others. I can >>> restrict it at the router if necessary because the router is a Gentoo >>> system. >>> >>> I think this leaves a squid proxy setup as my only option? >> >> Restrict by source AND destination IP >> >> This requires only that the computer in question has a static IP or a >> permanent lease (so you always know what it is), and you know the IP of the >> web sites to be accessed (dig is a very good friend). Allow these, deny >> everything else to destination port 80. > > That sounds good, but I won't be able to fetch all updates that > portage might want, right? > > - Grant
But I could install a wide-open firewall on the system-to-restrict and use that firewall to restrict website access instead of the router's firewall. That way I could consider the user (root, non-root) when deciding whether or not to allow the 80/443 outbound connection since: "When referring to packet filters, filtering by user id (e.g., root) can only be done for connections originating from the firewall." That should restrict website access and allow portage to do its thing. - Grant
