On July 5, 2004 12:29 am, Michael Frank wrote: > On Sun, 04 Jul 2004 16:59:04 +0200, Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote: > > Le dim 04/07/2004 à 15:16, Michael Frank a écrit : > >> Would like to block ports depending on the group in use > > > > See owner match : > > > > cbr@anduril:~$ iptables -m owner --help > > iptables v1.2.11 > > [...] > > OWNER match v1.2.11 options: > > [!] --uid-owner userid Match local uid > > [!] --gid-owner groupid Match local gid > > [!] --pid-owner processid Match local pid > > [!] --sid-owner sessionid Match local sid > > [!] --cmd-owner name Match local command name > > > > --gid-owner seems to satisfy your needs. > > Thank you for the pointer. This works very well. > > I think there is a problem though wrt ICMP requests. The following > rule allows _everyone_ to ping, but I would expect only root to be able to. > > ACCEPT all -- anywhere anywhere OWNER UID match > root > > This rule has no effect on ICMP i am mhf and can't ping. > > ACCEPT all -- anywhere anywhere OWNER UID match > mhf > > This is with Vanilla kernel 2.4.24. Any know issue here? > I would suggest that in all likelyhood your ping/traceroute are setuid root. *grin* Alistair.
