Block traffic for a particular user

[dvanmosselbeen]

The idea is to block some traffic for a particular user. With:

iptables -A OUTPUT -p tcp -m owner --uid-owner <username> -j DROP

we can block do this but it won't work if the system does forwarding. It would be nice to find a way for systems that does forwarding. Apparently nufw provide a solution (but don't ask me).

[Adi Kriegisch]

Tagging this as "trivial" is brave to say the least. nufw provides client software that communicates with the server via network. A client application has to be registered to be allowed to get a connection.
There are several approaches to the issue of locking in people:

• WLANs often use a web interface to authenticate clients and let them go out and play.
  
• Companies use Proxy servers with authentication to gain some control over what their users/employees do.
  
• The most complete solution to this issue seems to be nufw. One has complete control over which application is allowed to do, where users go and where they were. But with some disadvantages: every client needs special client software. Setup/configuration is not so trivial.
  

IMO it is not feasible to implement this within vuurmuur, because it heavily depends on client software for about any platform. Creating and maintaining such client software means huge effort in a different direction.
One solution to this problem that works out of the box right now is the use of proxy servers. Another solution to this problem would be really nice to have -- but as a stand-alone project using vuurmuur_script: a webinterface that allows authentication and is capable of revoking the authentication once the user disconnects. This should not be hard to do but definitely means work and implementing proper security mechanisms. ;-)

[Victor Julien]

I agree with Adi's explanation. Vuurmuur is primarily developed as a gateway firewall, and the owner match won't be able to do anything for that.