Shorewall users - Jul 2007 - Maclist - Misunderstood - Help needed

Hello List members,

1. Shorewall , v 3.2 is working fine
2. I seem to have misunderstood the functionality of
the maclist file though. I wanted to use mac addresses
of machines to restrict access from zone1 to zone 2.
Help would be appreciated . 
3. My config is as follows;

eth0->adsl router
eth1 ->lan 
eth2  ->mz ( for lack of a better name )

my zone file
..............

#####################
#ZONE	TYPE	
fw	firewall
net	ipv4
loc	ipv4
mz	ipv4

#Note : 1 server only in mz
#Note : 50 machines in loc

my interfaces file
..................

#####################################
#ZONE	IFACE	BCAST	OPTIONS

net     eth0    detect  tcpflags,
                        routefilter,nosmurfs,  
                        logmartians,blacklist

loc     eth1            detect  dhcp, tcpflags,  
                        detectnets, nosmurfs,  
                        blacklist

mz      eth2   detect   maclist, blacklist

4. I had mistakenly taught that by putting the mac
addresses of about 20 machines ( all from the loc
zone), i could prevent them from connecting to the 
mz zone which had the maclist option activated in the
interfaces file.

5. I now understand that that is wrong. Could anybody
tell me how i could use the mac addresses of machines
(about 20 of them) to control access from
 loc zone -> mz zone or vice versa. Just fyi, the
server in the mz zone is running an accounting
package-foxpro based.

bye,
thanx.



       
____________________________________________________________________________________
Moody friends. Drama queens. Your life? Nope! - their life, your story. Play
Sims Stories at Yahoo! Games.
http://sims.yahoo.com/  

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Linux Advocate wrote:
> Shorewall , v 3.2
>
> eth0->adsl router
> eth1 ->lan 
> eth2  ->mz ( for lack of a better name )
> 
> my zone file
> ..............
> 
> #####################
> #ZONE	TYPE	
> fw	firewall
> net	ipv4
> loc	ipv4
> mz	ipv4
> 
> #Note : 1 server only in mz
> #Note : 50 machines in loc
> 
> 
> Could anybody
> tell me how i could use the mac addresses of machines
> (about 20 of them) to control access from
>  loc zone -> mz zone or vice versa. Just fyi, the
> server in the mz zone is running an accounting
> package-foxpro based.
I would start by reading:

 http://www.shorewall.net/3.0/configuration_file_basics.htm#MAC
 http://www.shorewall.net/3.0/configuration_file_basics.htm#Variables
 http://www1.shorewall.net/3.0/configuration_file_basics.htm#Continuation
 http://www.shorewall.net/3.0/Actions.html

Then I would configure files as shown below.

/etc/shorewall/policy:

loc	mz	REJECT	info

/etc/shorewall/params:
#
# List the 20 macs here in Shorewall format
#
MACS=~00-01-02-03-04-05,\
~01-02-03-04-05-06,\
...
~AA-BB-CC-DD-EE-FF-00

/etc/shorewall/actions
#
# Declare action ''AcceptMacs''
#
AcceptMacs

/etc/shorewall/action.AcceptMacs
#
# Define the Action (Accept from any of the listed MAC addresses)
#
ACCEPT		$MACS

/etc/shorewall/rules:
#
# Send all loc->mz traffic through the AcceptMacs action.
#
AcceptMacs	loc	mz	...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom,
> 
> I would start by reading:
> 
>  http://www.shorewall.net/3.0/Actions.html
> 
The documentation says * Caution -This article applies
to Shorewall 4.0 and later. If you are running a
version of Shorewall earlier than Shorewall 4.0.0 then
please see the documentation for that release*   
..... though the URL indicates 3.0.

IS there another URL for actions ->shorewall 3.x ?

Regards,
Marco.


       
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the
tools to get online.
http://smallbusiness.yahoo.com/webhosting 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Linux Advocate wrote:
> Tom,
>> I would start by reading:
>>
>>  http://www.shorewall.net/3.0/Actions.html
>>
> 
> The documentation says * Caution -This article applies
> to Shorewall 4.0 and later. If you are running a
> version of Shorewall earlier than Shorewall 4.0.0 then
> please see the documentation for that release*   
> ..... though the URL indicates 3.0.
> 
> IS there another URL for actions ->shorewall 3.x ?
That''s the correct article -- the caution is wrong.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Thanx Tom. The caution has been reworded in the
website.
> 
> That''s the correct article -- the caution is wrong.
> 
As further note to this maclist business, can i use
the params definition of MACS in the rules file as
shown below;

SMB/ACCEPT  loc:$MACS  mz
SMB/ACCEPT  mz         loc

a. Do i have to put a tilde in front of $MACS?
b. Will the rule above ensure that only the relevant
hosts from the loc zone( with the allowed mac
addresses ) can connect to the server in the mz zone
for SMB ?
c. Sorry, i m about to make a trip the my branch
office and would like your opinion on this as my
understanding on ¨actions¨ seems a little weak?

regards,
marco.



       
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV''s 
Comedy with an Edge to see what''s on, when. 
http://tv.yahoo.com/collections/222

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Linux Advocate wrote:
> Thanx Tom. The caution has been reworded in the
> website.
> 
>> That''s the correct article -- the caution is wrong.
>>
> 
> As further note to this maclist business, can i use
> the params definition of MACS in the rules file as
> shown below;
> 
> SMB/ACCEPT  loc:$MACS  mz
> SMB/ACCEPT  mz         loc
Yes.
> 
> a. Do i have to put a tilde in front of $MACS?
No.
> b. Will the rule above ensure that only the relevant
> hosts from the loc zone( with the allowed mac
> addresses ) can connect to the server in the mz zone
> for SMB ?
Yes.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

thanx :)


--- Tom Eastep <teastep@shorewall.net> wrote:
> Linux Advocate wrote:
> > Thanx Tom. The caution has been reworded in the
> > website.
> > 
> >> That''s the correct article -- the caution is
> wrong.
> >>
> > 
> > As further note to this maclist business, can i
> use
> > the params definition of MACS in the rules file as
> > shown below;
> > 
> > SMB/ACCEPT  loc:$MACS  mz
> > SMB/ACCEPT  mz         loc
> 
> Yes.
> 
> > 
> > a. Do i have to put a tilde in front of $MACS?
> 
> No.
> 
> > b. Will the rule above ensure that only the
> relevant
> > hosts from the loc zone( with the allowed mac
> > addresses ) can connect to the server in the mz
> zone
> > for SMB ?
> 
> Yes.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> 
> >
-------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? 
> Stop.
> Now Search log events and configuration files using
> AJAX and a browser.
> Download your FREE copy of Splunk now >> 
http://get.splunk.com/>
_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 


       
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the
tools to get online.
http://smallbusiness.yahoo.com/webhosting 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/