Shorewall users - Dec 2002 - Maclist problem

Ok... Next problem ;) The firewall works great... Now, I have a wireless
card in here, so I need MAC authentication to keep the neighbors out of my
LAN... So, I add maclist to the end of the line in interfaces, as such:

net     eth0            detect          norfc1918,filterping,blacklist
loc     eth1            detect          dhcp,filterping
dmz     eth2            detect          dhcp,filterping
kids    eth3            detect          dhcp,filterping,maclist

	Then I add this to maclist:

eth3            00:40:96:33:a7:9e
eth3            00:60:1d:23:7e:b2

	And I get:

+ eval varval=$options
+ varval=dhcp,filterping,maclist
+ eval options="dhcp,filterping,maclist"
+ options=dhcp,filterping,maclist
+ shift
+ [ 0 -gt 0 ]
+ separate_list dhcp,filterping,maclist
+ echo dhcp,filterping,maclist
+ sed s/,/ /g
+ list_search maclist dhcp filterping maclist
+ local e=maclist
+ [ 4 -gt 1 ]
+ shift
+ [ xmaclist = xdhcp ]
+ [ 3 -gt 1 ]
+ shift
+ [ xmaclist = xfilterping ]
+ [ 2 -gt 1 ]
+ shift
+ [ xmaclist = xmaclist ]
+ return 0
+ expand eth3
+ eval echo "eth3"
+ echo eth3
+ echo eth3:0.0.0.0/0
+ read ignore interface ignore1 options
+ maclist_hosts=eth3:0.0.0.0/0
+ [ -n eth3:0.0.0.0/0 ]
+ setup_mac_lists
+ local interface
+ local mac
+ local addresses
+ local address
+ local chain
+ local logpart
+ local macpart
+ local blob
+ local hosts
+ maclist_interfaces+ interface=eth3
+ list_search eth3
+ local e=eth3
+ [ 1 -gt 1 ]
+ return 1
+ [ -z  ]
+ maclist_interfaces=eth3
+ echo Setting up MAC Verification on eth3...
+ mac_chain eth3
+ chain_base eth3
+ local c=eth3
+ echo eth3
+ echo eth3_mac
+ createchain eth3_mac no
+ run_iptables -N eth3_mac
+ echo -N eth3_mac
+ sed s/!/! /g
+ iptables -N eth3_mac
+ [ 2 -eq 1 ]
+ eval eth3_mac_exists=Yes
+ eth3_mac_exists=Yes
+ strip_file maclist
+ local fname
+ [ 1 = 1 ]
+ find_file maclist
+ [ -n  -a -f /maclist ]
+ echo /etc/shorewall/maclist
+ fname=/etc/shorewall/maclist
+ [ -f /etc/shorewall/maclist ]
+ cut -d# -f1 /etc/shorewall/maclist
+ grep -v ^[[:space:]]*$
+ read interface mac addresses
+ expandv interface mac addresses
+ local varval
+ [ 3 -gt 0 ]
+ eval varval=$interface
+ varval=eth3
+ eval interface="eth3"
+ interface=eth3
+ shift
+ [ 2 -gt 0 ]
+ eval varval=$mac
+ varval=00:40:96:33:a7:9e
+ eval mac="00:40:96:33:a7:9e"
+ mac=00:40:96:33:a7:9e
+ shift
+ [ 1 -gt 0 ]
+ eval varval=$addresses
+ varval+ eval addresses=""
+ addresses+ shift
+ [ 0 -gt 0 ]
+ mac_chain eth3
+ chain_base eth3
+ local c=eth3
+ echo eth3
+ echo eth3_mac
+ chain=eth3_mac
+ havechain eth3_mac
+ eval test "$eth3_mac_exists" = Yes
+ test Yes = Yes
+ mac_match 00:40:96:33:a7:9e
+ echo 00:40:96:33:a7:9e
+ sed s/~//;s/-/:/g
+ echo --match mac --mac-source 00:40:96:33:a7:9e
+ macpart=--match mac --mac-source 00:40:96:33:a7:9e
+ [ -z  ]
+ run_iptables -A eth3_mac --match mac --mac-source 00:40:96:33:a7:9e -j
RETURN
+ echo -A eth3_mac --match mac --mac-source 00:40:96:33:a7:9e -j RETURN
+ sed s/!/! /g
+ iptables -A eth3_mac --match mac --mac-source 00:40:96:33:a7:9e -j
RETURN
iptables: No chain/target/match by that name

	I looked through the FAQ and the errata and found nothing... Ideas?

--- 
Homer Parker                  /"\ ASCII Ribbon Campaign
                              \ / No HTML/RTF in email
http://www.homershut.net       x  No Word docs in email
telnet://bbs.homershut.net    / \ Respect for open standards

This e-mail message is 100% Microsoft free!

WARNING: THIS ACCOUNT BELONGS TO A RABID
ANTI-SPAMMER NET-NAZI DOT-COMMUNIST!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://wookie.shorewall.net/pipermail/shorewall-users/attachments/20021228/baf89684/attachment.bin

--On Saturday, December 28, 2002 11:07 PM -0600 Homer Parker 
<hparker@homershut.net> wrote:
> + iptables -A eth3_mac --match mac --mac-source 00:40:96:33:a7:9e -j
> RETURN
> iptables: No chain/target/match by that name
>
Looks like your kernel doesn''t have MAC match support.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

On Sun, 29 Dec 2002 05:56:19 -0800 Tom Eastep <teastep@shorewall.net>
wrote....
> 
> 
> --On Saturday, December 28, 2002 11:07 PM -0600 Homer Parker 
> <hparker@homershut.net> wrote:
> 
> > + iptables -A eth3_mac --match mac --mac-source 00:40:96:33:a7:9e -j
> > RETURN
> > iptables: No chain/target/match by that name
> >
> 
> Looks like your kernel doesn''t have MAC match support.
> 
	Not sure, Bering 1.0 Stable.. With 2.4.18, not the updated 2.4.20... 

--- 
Homer Parker                  /"\ ASCII Ribbon Campaign
                              \ / No HTML/RTF in email
http://www.homershut.net       x  No Word docs in email
telnet://bbs.homershut.net    / \ Respect for open standards

This e-mail message is 100% Microsoft free!

WARNING: THIS ACCOUNT BELONGS TO A RABID
ANTI-SPAMMER NET-NAZI DOT-COMMUNIST!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://wookie.shorewall.net/pipermail/shorewall-users/attachments/20021229/b11df051/attachment.bin

--On Sunday, December 29, 2002 11:52:16 AM -0600 Homer Parker 
<hparker@homershut.net> wrote:

Try this test:

iptables -N foo
iptables -A foo --match mac --mac-source 00:40:96:33:a7:9e -j ACCEPT

If that doesn''t work then you DON''T have mac match support. I
might be
modularized in which case the module name will be ipt_mac.o.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

--On Sunday, December 29, 2002 10:06:27 AM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
>
> If that doesn''t work then you DON''T have mac match
support. I might be
> modularized in which case the module name will be ipt_mac.o.
>
Sigh -- make that "It might be modularized..."

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

On Sun, 29 Dec 2002 10:09:46 -0800 Tom Eastep <teastep@shorewall.net>
wrote....
> 
> 
> --On Sunday, December 29, 2002 10:06:27 AM -0800 Tom Eastep 
> <teastep@shorewall.net> wrote:
> 
> >
> > If that doesn''t work then you DON''T have mac match
support. I might be
> > modularized in which case the module name will be ipt_mac.o.
> >
> 
> Sigh -- make that "It might be modularized..."
> 
	Well, whichever of you is modularized, that was the fix ;) Thanks!!! My 3
NIC 1 WiFi firewall is now doing everything I wanted it to do! ;) Thanks
for a great product and top notch support!!

--- 
Homer Parker                  /"\ ASCII Ribbon Campaign
                              \ / No HTML/RTF in email
http://www.homershut.net       x  No Word docs in email
telnet://bbs.homershut.net    / \ Respect for open standards

This e-mail message is 100% Microsoft free!

WARNING: THIS ACCOUNT BELONGS TO A RABID
ANTI-SPAMMER NET-NAZI DOT-COMMUNIST!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://wookie.shorewall.net/pipermail/shorewall-users/attachments/20021229/7f9e276c/attachment.bin