So here''s my use case... I have a (shorewall) gateway but in general, users are not allowed to use it. They must use configured proxies and internal servers which are themselves allowed to use the gateway. The simple solution to this scenario is to simply use the maclist and only list the approved proxies. This screws up OSPF though. Even though the majority of hosts can''t use the gateway, in general, they do need to exchange OSPF packets with it to complete their routing configuration. The simple workaround was to: # iptables -I br-lan_mac -p 89 -j RETURN Indeed, I could stop using maclist and put specific rules into the rules file to do the same thing, but the maclist is nice. :-) Thots? b. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Brian J. Murrell wrote:> So here''s my use case... I have a (shorewall) gateway but in general, > users are not allowed to use it. They must use configured proxies and > internal servers which are themselves allowed to use the gateway. The > simple solution to this scenario is to simply use the maclist and only > list the approved proxies. > > This screws up OSPF though. Even though the majority of hosts can''t use > the gateway, in general, they do need to exchange OSPF packets with it > to complete their routing configuration. The simple workaround was to: > > # iptables -I br-lan_mac -p 89 -j RETURN > > Indeed, I could stop using maclist and put specific rules into the rules > file to do the same thing, but the maclist is nice. :-) > > Thots?Use the rules file -- you might find it more convenient to define an action that accepts traffic from the approved MACs and then apply that action to the protocols that the hosts are allowed to use. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
On Sun, 2008-07-13 at 21:20 -0700, Tom Eastep wrote:> > Use the rules fileYeah. The more I thought about it, the more I wondered what the use-case for the maclist file was given that the rules file could handle it -- or so it seemed at first glance.> you might find it more convenient to define an action > that accepts traffic from the approved MACs and then apply that action to > the protocols that the hosts are allowed to use.Hrm. Well, generally, it''s an all-or-none. Some hosts are allowed all outbound (i.e. forward) traffic they care to send, others are allowed none (but should be allowed to do OSPF *to* the firewall). But yeah, rules file seems like a better option. b. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Brian J. Murrell wrote:> On Sun, 2008-07-13 at 21:20 -0700, Tom Eastep wrote: >> Use the rules file > > Yeah. The more I thought about it, the more I wondered what the > use-case for the maclist file was given that the rules file could handle > it -- or so it seemed at first glance. >MAC validation in the rules file is awkward to do in the general case without user-defined actions; those came along well after the maclist file was invented. Of course, given the ease with which MAC addresses can be spoofed, one might wonder "Why do MAC validation at all?". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
On Mon, 2008-07-14 at 11:51 -0700, Tom Eastep wrote:> > MAC validation in the rules file is awkward to do in the general case > without user-defined actions; those came along well after the maclist file > was invented.I see.> Of course, given the ease with which MAC addresses can be spoofed, one might > wonder "Why do MAC validation at all?".Indeed. Cheers, b. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08