FirewallBuilder

User service object matches the owner of the process on the firewall that send the packet. It translates to the "owner" match in iptables and "user" parameter for PF.

Figure 5.120. User Service Dialog

The user service object has only one parameter besides the name and comment: it is the user ID that the firewall should use to match packets.

The user service object is only supported for iptables and PF.

Let's look at how the simple rule shown in Figure 5.121 compiles for iptables and PF.

Figure 5.121. User Service Rule Example

The firewall can associate a packet with a user only if the packet originated on the firewall. Packets that transit the firewall have no information about the user who owned the process that created these packets and sent them out because this process ran on an entirely different computer. For this reason, the object in the Source column must be the firewall.

# Rule 0 (global)
# 
$IPTABLES -A OUTPUT -m owner --uid-owner 500  -j DROP 
	

The user service translated into the owner match for iptables. See the iptables man page for a more detailed explanation of this match.

# Tables: (1)
table  { en0 , 192.168.1.1 }

# Rule  0 (global)
# 
# 
block out  quick inet  from   to any user 500 
	

Here the table tbl.r0.s was created to hold IP addresses that belong to the firewall. The rule matches source addresses and also the user ID of the owner using the "user" clause.

The user service object is actually one of the simplest service object types in Firewall Builder, but it provides the facility for a basic per-user control on Linux and BSD machines. This service object can be used in rules with actions that reroute packets ("Route" action) or in the NAT rules; for example, to redirect web access via proxy.