Quarantining an account from the Internet, or from all networking?
Michael ODonnell
michael.odonnell at comcast.net
Mon Aug 16 19:31:34 EDT 2010
> smart enough to look at who owns the associated socket, it should
> work. Packets don't have owners, true, but a packet without a
> socket is rather like the sound of one hand clapping...
Yah, I had just been imagining the packet in the abstract, in flight,
where such info isn't available. But you're right, of course -
that info is available as the packet nears its destination and
becomes associated with an endpoint. And if I'd RTFM I'd have seen
this bit where that's indicated:
> owner
>
> This module attempts to match various characteristics of the packet
> creator, for locally generated packets. This match is only valid in
> the OUTPUT and POSTROUTING chains. Forwarded packets do not have any
> socket associated with them. Packets from kernel threads do have a
> socket, but usually no owner.
>
> [!] --uid-owner username
>
> [!] --uid-owner userid[-userid]
> Matches if the packet socket's file structure (if it has one) is owned by
> the given user. You may also specify a numerical UID, or an UID range.
>
> [!] --gid-owner groupname
>
> [!] --gid-owner groupid[-groupid]
> Matches if the packet socket's file structure is owned by the given
> group. You may also specify a numerical GID, or a GID range.
More information about the gnhlug-discuss
mailing list