Hi, At the moment I am controlling my LAN client access to the Inet by their MAC address. Currently I am putting their MAC address in the rules file - now the number of the PC that I want to manage is getting more and more and it is not practicle to do this way anymore. My question is, how can I have their MAC address in other separate file? Regards http://www.debian.org/consultants/#Malaysia __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
mynullvoid wrote:> > My question is, how can I have their MAC address in > other separate file?Use an action. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
mynullvoid <mynullvoid@yahoo.com> Sent by: shorewall-users-bounces@lists.shorewall.net 03/10/05 12:27 AM Please respond to Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> To shorewall-users@lists.shorewall.net cc Subject [Shorewall-users] rules - access by mac address Hi, At the moment I am controlling my LAN client access to the Inet by their MAC address. Currently I am putting their MAC address in the rules file - now the number of the PC that I want to manage is getting more and more and it is not practicle to do this way anymore. My question is, how can I have their MAC address in other separate file? Regards ===================================== I had never thought to ask ... but to risk a suggestion other than Tom''s: I started with an empty (as distributed) maclist and changed the file with INCLUDE maclist.mymachine the line before #LAST LINE... Then I get to use a separate "table" maclist.mymachine and updating a new release with MAC addresses is no big edit job... - Bill (Sufficiently talented fool - ducking now)
Bill.Light@kp.org wrote:> > I had never thought to ask ... but to risk a suggestion other than Tom''s: > > I started with an empty (as distributed) maclist > and changed the file with > > INCLUDE maclist.mymachine > > the line before #LAST LINE... > > Then I get to use a separate "table" maclist.mymachine and updating a > new release with MAC addresses is no big edit job... >This works great if what you want is simple MAC filtration. If you want to allow certain traffic based on MAC address then this wouldn''t work. Since the OP is currently using the rules file, I assumed (possibly incorrectly) that there were requirements that cannot be met through use of the MAC validation feature in Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi I want to allow certain traffic based on MAC address, please give me example on how the rules look like and the referred file - can I have the address in line-by-line format? Please advice Thank you Tom Eastep <teastep@shorewall.net> wrote: Bill.Light@kp.org wrote:> > I had never thought to ask ... but to risk a suggestion other than Tom''s: > > I started with an empty (as distributed) maclist > and changed the file with > > INCLUDE maclist.mymachine > > the line before #LAST LINE... > > Then I get to use a separate "table" maclist.mymachine and updating a > new release with MAC addresses is no big edit job... >This works great if what you want is simple MAC filtration. If you want to allow certain traffic based on MAC address then this wouldn''t work. Since the OP is currently using the rules file, I assumed (possibly incorrectly) that there were requirements that cannot be met through use of the MAC validation feature in Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm http://www.debian.org/consultants/#Malaysia --------------------------------- Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
mynullvoid wrote:> Hi > > I want to allow certain traffic based on MAC address, please give me example on > how the rules look like and the referred file - can I have the address in > line-by-line format? > > Please advicePlease RTFM -- there may be an example in your own rules file. There is certainly an example at http://shorewall.net/Documentation.htm#Rules (it''s example 14 in case you are having difficulty finding it). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Dear Tom, I am okay with Example 14, at the moment filter by mac working fine; my problem is how can I get all the mac address which I want to filter in external file (since there are many MAC to manage) ACCEPT loc:~02-00-08-E3-FA-55 dmz all Can I have something like ACCEPT loc:maclist1 dmz all Then in - maclist1 ~02-00-08-E3-FA-55 ~02-00-08-E3-FA-56 ~02-00-08-E3-FA-57 ..... Please assist Thank you Tom Eastep <teastep@shorewall.net> wrote: mynullvoid wrote:> Hi > > I want to allow certain traffic based on MAC address, please give me example on > how the rules look like and the referred file - can I have the address in > line-by-line format? > > Please advicePlease RTFM -- there may be an example in your own rules file. There is certainly an example at http://shorewall.net/Documentation.htm#Rules (it''s example 14 in case you are having difficulty finding it). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm http://www.debian.org/consultants/#Malaysia --------------------------------- Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
I''m not answering this tonight -- hopefully someone else will. It''s 7PM here and I''m trying to spend time with my family. There are two choices: a) Use Shell Variables b) Use an action -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Please post in plain text and configure your mailer to fold long lines at an appropriate length. Each of your paragraphs is one long line. mynullvoid wrote:> I am okay with Example 14, at the moment filter by mac working fine; > my problem is how can I get all the mac address which I want to filter > in external file (since there are many MAC to manage) > > ACCEPT loc:~02-00-08-E3-FA-55 dmz all > > Can I have something like > > ACCEPT loc:maclist1 dmz all > > Then in - maclist1 > ~02-00-08-E3-FA-55 > ~02-00-08-E3-FA-56 > ~02-00-08-E3-FA-57 > ..... >You have two choices: a) Use shell variables: /etc/shorewall/params: GRP=~02-00-08-E3-FA-55,~02-00-08-E3-FA-56,~02-00-08-E3-FA-57... Note: the above can be folded to one MAC per line by using "\" as the last character on the line and by ensuring that there is no embedded white space. /etc/shorewall/rules: ACCEPT loc:$GRP dmz all b) Use an action: /etc/shorewall/actions: AllowGrp /etc/shorewall/action.AllowGrp (created from /usr/share/shorewall/action.template): ACCEPT ~02-00-08-E3-FA-55 0.0.0.0/0 all ACCEPT ~02-00-08-E3-FA-56 0.0.0.0/0 all ACCEPT ~02-00-08-E3-FA-57 0.0.0.0/0 all /etc/shorewall/rules: AllowGrp loc dmz all The second approach results in a more efficient ruleset. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key