Hello,
I was wondering if anyone had feedback regarding limiting which accounts on a host can receive traffic.
I initially attempted to use the following rule to allow inbound traffic on port 80/443 to be handled only by processes on the server that were root or www-data:
add rule filter input tcp dport { http, https } meta skuid { root, www-data } ct state new,established,related accept
...I have since learned that a better approach for this rule would be abstracting the connection states out, but I have repeated the rule from my original post.
This did not work as nftables is attempting to limit the skuid to root or www-data based on the client account that created the traffic - which is not included in the traffic.
Is there a way to restrict this so only processes owned by root or www-data on the server will receive HTTP/S traffic (either with nftables or another means) ?
Thanks,
- J
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
