Hi, I couldn''t find something to my problem in the doc or at the list, so may be you have the hints I''m looking for ;-) Sometimes some of our students unplug the student computers or printers and use the IP numbers for there own notebook. :-( I was thinking about a feature that allows me to check the MAC adresses of devices, which try to access the firewall/internet.... AFAIK I can set up rules for MAC addresses, but would this be a lot of work for 150 computers :-). So is there a chance to put all allowed MAC addresses in one file, which will be parsed and allowes connections? (I can get the MAC Addresses from my system database; o.K. I could also generate the rules like this, but would this be a loooong rule File....) Thanks for any hint cu... ...Götz -- Götz Reinicke IT Koordinator - IT OfficeNet Tel. +49 (0) 7141 - 969 420 Fax +49 (0) 7141 - 969 55 420 goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de
Hello Götz, Götz Reinicke wrote:> Hi, > > I couldn''t find something to my problem in the doc or at the list, so > may be you have the hints I''m looking for ;-) > > Sometimes some of our students unplug the student computers or printers > and use the IP numbers for there own notebook. :-( > > I was thinking about a feature that allows me to check the MAC adresses > of devices, which try to access the firewall/internet.... > > AFAIK I can set up rules for MAC addresses, but would this be a lot of > work for 150 computers :-). > > So is there a chance to put all allowed MAC addresses in one file, which > will be parsed and allowes connections? (I can get the MAC Addresses > from my system database; o.K. I could also generate the rules like this, > but would this be a loooong rule File....) > > Thanks for any hintThere is currently no way to do this other than with rules. You are not the first person to request such a facility and I''m thinking about something like the following: a) A new ''maclist'' interface option in /etc/shorewall/interfaces. b) A new ''maclist'' file with columns: #INTERFACE MAC IP-Address (Optional) New connection requests from an interface with ''maclist'' set would be validated against the maclist file and the request rejected if there wasn''t a match. There would probably be a MACLIST_LOG_LEVEL variable in shorewall.conf to control logging of these rejections. Sound like what you want? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Götz Reinicke wrote:> Hi Tom, > > Tom Eastep wrote: > >> <...> >> >> There is currently no way to do this other than with rules. You are not >> the first person to request such a facility and I''m thinking about >> something like the following: >> >> a) A new ''maclist'' interface option in /etc/shorewall/interfaces. >> b) A new ''maclist'' file with columns: >> >> #INTERFACE MAC IP-Address (Optional) >> >> New connection requests from an interface with ''maclist'' set would be >> validated against the maclist file and the request rejected if there >> wasn''t a match. There would probably be a MACLIST_LOG_LEVEL variable in >> shorewall.conf to control logging of these rejections. >> >> Sound like what you want? >> -Tom > > > I think so. :-) >The current Shorewall CVS tree contains the change described above. There are two additions: a) Any interface configured with ''maclist'' must be up before Shorewall starts. I don''t like this restriction but MAC address matching doesn''t work when the firewall receives its own broadcasts!!?? :-( b) There is a MACLIST_DISPOSITION variable in shorewall.conf to determine the fate of connection requests that don''t match any of the entries in /etc/shorewall/maclist. Allowed values are REJECT, ACCEPT and DROP. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net