On Sun, 18 Oct 2009 18:41:09 +0200 David Baron <d_ba...@012.net.il> wrote:
> As undemocratic at it seems, sometimes it is necessary from some > logins not to be able to access internet browsing and such. > > How might one set this up? One method might be to force all traffic through a proxy, and require authentication. A more robust solution would be to take advantage of the iptables ability to match a packet's 'user'. E.g., take a look at the sample 'rules' file included with shorewall: # USER/GROUP This column may only be non-empty if the SOURCE is # the firewall itself. # # The column may contain: # # [!][<user name or number>][:<group name or number>][+<program name>] # # When this column is non-empty, the rule applies only # if the program generating the output is running under # the effective <user> and/or <group> specified (or is # NOT running under that id if "!" is given). # # Examples: # # joe #program must be run by joe # :kids #program must be run by a member of # #the 'kids' group # !:kids #program must not be run by a member # #of the 'kids' group # +upnpd #program named upnpd (This feature was # #removed from Netfilter in kernel # #version 2.6.14). Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
