use dedicated geoipupdate user

This commit is contained in:
Daniel Micay 2022-07-26 23:09:06 -04:00
parent 6081f9fa73
commit 54b52a3655

View File

@ -48,12 +48,12 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject
skuid != {root, systemd-network, chrony, unbound, powerdns, geoipupdate} counter goto output-reject
}
chain output-internal {
skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
skuid {chrony, powerdns} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
skuid {chrony, powerdns, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
skuid != root counter goto output-reject
accept