Re: Match owner

To: debian-firewall@lists.debian.org
Subject: Re: Match owner
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Wed, 21 Oct 2009 15:23:08 +0200
Message-id: <[🔎] 4ADF0B3C.7060008@plouf.fr.eu.org>
In-reply-to: <[🔎] c4ca7ed90910210441sfc0036dv15f636f7b49384a7@mail.gmail.com>
References: <[🔎] c4ca7ed90910210249l330e08edp2cfafeb10940faa6@mail.gmail.com> <[🔎] 4ADEEEC9.6090806@plouf.fr.eu.org> <[🔎] c4ca7ed90910210441sfc0036dv15f636f7b49384a7@mail.gmail.com>

Bjoern Meier a écrit :
> 2009/10/21 Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
> 
>>> If I set:
>>> -A OUTPUT -d <IP> -m owner --uid-owner <username> -j ACCEPT
>>>
>>> It fails and my logging shows, that the Rule will be ignored und goes to
>> the
>>> deny rule (last rule).
>> How does it fail ? What is the error message ?
>>
> oh sry, there is no error.
> Iptables semms to accept this rule. I can see it with iptables -S, but it
> seems to be ignored.

Are you sure that the UID is correct ? What kind of traffic are you
trying to match ?
Keep in mind that --uid-owner matches the effective UID, so packets sent
by special programs with the SUID bit set such as ping, traceroute...
have the UID of the owner of the program (usually root).

> I don't know how I can see the owner. Is there a switch
> on - maybe - tcpdump?

I don't know.

Reply to:

References:
- Match owner
  - From: Bjoern Meier <bjoern.meier@googlemail.com>
- Re: Match owner
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
- Re: Match owner
  - From: Bjoern Meier <bjoern.meier@googlemail.com>

Prev by Date: Re: Match owner
Next by Date: Re: Match owner
Previous by thread: Re: Match owner
Next by thread: Re: Match owner
Index(es):
- Date
- Thread