Wednesday, June 16, 2004 8:24 AM maynard@xxxxxxxxxxxxxxxx asked: > Is there any way that a user can tell iptables to allow a > user to specify additional ports to block other than the ones > in the 'root' iptables configuration. I do not know if there > are security implications in this, but all that iptables > would have to do was to look for further disallows in the > current user's config directory, maybe under ~/.iptables/ > I am trying to run firestarter as a user level application, > i.e,. without needing the root password everytime I run it. Nope - Can't do it without compromising the security of your machine. The problem here is that netfilter, the linux firewall, is implemented in the kernel. This is what makes it both so fast and so secure. As such, you must be root to make changes to it. >From the sound of your post, I gather that you are used to user space firewalls such as exist in the windows world. These can have different setting for different users because they are just applications rather than an integral part of the OS. Also, being apps, they ususally have relatively high system resource use and many don't actually secure a machine unless a user is logged in. A machine that is booted but not logged into is left wide open... :( One way to implement what you desire in linux is to use a dedicated FW box that has squid and squidguard running. Squidguard is an add-on to squid that does url blocking. It can be configured in conjunction with squid's user authentication to have different rule sets for each user. I'm sure there are other approaches, but this is the one I'd push were I in your shoes. Eric Diamond eDiamond Networking & Security eric<at>ediamond[dot]net
