Hello, Thanks you for your great firewall, I''ve been running it for some time now and I''m really satisfied. I have Shorewall 1.4.8 running on Debian (kernel 2.6.1) I would like to make a DNAT rule and I want it to be accessible only from a certain mac address ouside my network, becuse the ip is dynamic and I can''t relay on it. I''ve searched the forum and read the doc, but can''t find the exact answer. I''m currently adding this line to /etc/shorewall/rules DNAT net:~00-05-C2-55-31-EF loc:10.0.2.28 tcp 1111 after restarting firewall no error messages occure and I see Rule "DNAT net:~00-05-C2-55-31-EF loc:10.0.2.28 tcp 1111" added. ...but this doesn''t work. If I delete the mac or replace it with IP, it works fine. Can you please tell me what could be the problem and the solutions to my problem. thanks via advance, marko
marko wrote:> Hello, > > Thanks you for your great firewall, I''ve been running it for some time now and I''m really satisfied. > > I have Shorewall 1.4.8 running on Debian (kernel 2.6.1) I would like to make a DNAT rule and I want it to be > accessible only from a certain mac address ouside my network, becuse the ip is dynamic and I can''t relay on > it. I''ve searched the forum and read the doc, but can''t find the exact answer. > > I''m currently adding this line to /etc/shorewall/rules > > DNAT net:~00-05-C2-55-31-EF loc:10.0.2.28 tcp 1111 > > after restarting firewall no error messages occure and I see > > Rule "DNAT net:~00-05-C2-55-31-EF loc:10.0.2.28 tcp 1111" added. > > ...but this doesn''t work. If I delete the mac or replace it with IP, it works fine. Can you please tell me what > could be the problem and the solutions to my problem.Is the host that you are trying to allow DNAT for on the same network as your system? If not, then you can''t use its MAC address in your configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
From: "marko"> I have Shorewall 1.4.8 running on Debian (kernel 2.6.1) I would like tomake a DNAT rule and I want it to be> accessible only from a certain mac address ouside my network, becuse theip is dynamic and I can''t relay on> it. I''ve searched the forum and read the doc, but can''t find the exactanswer. Hi Marko.. Sense no-one has responded to such an easy question I will attempt to turn the light on. Correct me if I''m wrong. Example: PC A(eth0)---> Eth1..Shorewall Gateway..Eth0 --->Cable/DSL modem-->ISP-->Internet_Cloud-->Remote PC B (with dynamic IP) To make a long story short... The only MAC addresses that PC A will ever be aware of, are the ones within the same physical network/subnetwork or (same ethernet segment if your using ethernet). Any device that PC A needs to communicate with beyond its local lan will send all packets to its default gateway.. where the ip routing process takes over. Basically PC A''s MAC address will never be used/seen beyond PC A''s default gateway routing device. In short, When Shorewall receives a packet From: PC A To: Remote PC B it will strip out the PC A''s MAC and replace it with its own and forward/route this to the upstream routing device on the same Eth0 network as Shorewall in Shorewall''s routing table. Then that device will do the same..on-and-on-and-on.. That''s the short quick and dirty explanation... Maybe this slipped your mind. If this still doesn''t make sense then a simple googling on "ip routing process explained" should give you plenty of explanations.. HTH''s, Joshua Banks
Joshua Banks wrote:> > Hi Marko.. Sense no-one has responded to such an easy questionActually, I responded asking if the host was on the same network as the firewall. Your response makes it obvious why I was asking :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net