Hello there. I`ve into an issue with mac address filtering. Before that, i would like to explain how my network looks like. This box serves up to 4 network cards. with eth0 is 192.168.100.1, eth1 192.168.11.254, eth2 = 192.168.13.254 and eth3 192.168.15.254. As mentioned in the docs, i have inserted maclist option in /etc/shorewall/interfaces, configure /etc/shorewall/shorewall.conf to enable logging and disposition and inserted this line into the maclist :- eth1 00:0C:76:94:7B:E6 Then i restart the shorewall and it started to block all those unrelated packets as well..but thing is i cant see the mac address mentioned above being blocked. ANy idea? Replies are appreciated. thanks again. brian. __________________________________ Do you Yahoo!? Vote for the stars of Yahoo!''s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/
Diamond King wrote:> Hello there. I`ve into an issue with mac address > filtering. Before that, i would like to explain how my > network looks like. This box serves up to 4 network > cards. with eth0 is 192.168.100.1, eth1 > 192.168.11.254, eth2 = 192.168.13.254 and eth3 > 192.168.15.254. > > As mentioned in the docs, i have inserted maclist > option in /etc/shorewall/interfaces, configure > /etc/shorewall/shorewall.conf to enable logging and > disposition and inserted this line into the maclist :- > > eth1 00:0C:76:94:7B:E6And that MAC address belongs to some host on the physical network connected to eth1, correct?> > Then i restart the shorewall and it started to block > all those unrelated packets as well..What does that mean???? Unrelated to what?> but thing is i > cant see the mac address mentioned above being > blocked.What do you mean "You can''t see it"? Do you mean that you are not seeing that MAC showing up in your logs? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello there again. Sorry for the question. i did not provide clear information. anyway, i try to explain it in much more clearer form this time.> And that MAC address belongs to some host on the > physical network > connected to eth1, correct?Yes, and the MAC address IP is 192.168.11.251> What does that mean???? Unrelated to what?Right after i enabled the maclist in /etc/shorewall/interfaces and restarted the firewall, i saw quite a number of logs which are shown below (note that the logs shown are excerpt from the logfile) :- Jul 26 11:27:27 slayer kernel: Shorewall:eth1_mac:DROP:IN=eth1 OUTMAC=00:0d:88:7e:9a:06:00:05:5d:7a:4e:b6:08:00 SRC=192.168.11.134 DST=192.168.11.254 LEN=161 TOS=0x00 PREC=0x00 TTL=1 ID=58831 PROTO=UDP SPT=58500 DPT=1900 LEN=141 Jul 26 11:27:27 slayer kernel: Shorewall:eth1_mac:DROP:IN=eth1 OUT=eth0 SRC=192.168.11.137 DST=202.188.0.133 LEN=64 TOS=0x00 PREC=0x00 TTL=127 ID=52568 PROTO=UDP SPT=1101 DPT=53 LEN=44 Jul 26 11:27:27 slayer kernel: Shorewall:eth1_mac:DROP:IN=eth1 OUT=eth0 SRC=192.168.11.137 DST=202.188.1.5 LEN=64 TOS=0x00 PREC=0x00 TTL=127 ID=52569 PROTO=UDP SPT=1101 DPT=53 LEN=44 Jul 26 11:27:27 slayer kernel: Shorewall:eth1_mac:DROP:IN=eth1 OUTMAC=ff:ff:ff:ff:ff:ff:00:0d:88:33:e3:14:08:00 SRC=192.168.11.27 DST=192.168.11.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=38 PROTO=UDP SPT=137 DPT=137 LEN=58 .... Jul 26 11:27:32 slayer kernel: Shorewall:eth1_mac:DROP:IN=eth1 OUTMAC=00:0d:88:7e:9a:06:00:01:2e:08:9f:b5:08:00 SRC=192.168.11.47 DST=192.168.11.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=49084 DF PROTO=TCP SPT=4938 DPT=3128 WINDOW=64240 RES=0x00 SYN URGP=0 Jul 26 11:27:32 slayer kernel: Shorewall:eth1_mac:DROP:IN=eth1 OUTMAC=00:0d:88:7e:9a:06:00:01:2e:08:9f:b5:08:00 SRC=192.168.11.47 DST=192.168.11.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=49085 DF PROTO=TCP SPT=3599 DPT=3128 WINDOW=64240 RES=0x00 SYN URGP=0 Jul 26 11:27:32 slayer kernel: Shorewall:eth1_mac:DROP:IN=eth1 OUTMAC=00:0d:88:7e:9a:06:00:01:2e:08:9f:b5:08:00 SRC=192.168.11.47 DST=192.168.11.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=49086 DF PROTO=TCP SPT=3598 DPT=3128 WINDOW=64240 RES=0x00 SYN URGP=0 Jul 26 11:27:32 slayer kernel: Shorewall:eth1_mac:DROP:IN=eth1 OUTMAC=00:0d:88:7e:9a:06:00:01:2e:08:9f:b5:08:00 SRC=192.168.11.47 DST=192.168.11.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=49087 DF PROTO=TCP SPT=3597 DPT=3128 WINDOW=64240 RES=0x00 SYN URGP=0 Jul 26 11:27:32 slayer kernel: Shorewall:eth1_mac:DROP:IN=eth1 OUTMAC=00:0d:88:7e:9a:06:00:01:2e:08:9f:b5:08:00 SRC=192.168.11.47 DST=192.168.11.254 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=49088 DF PROTO=TCP SPT=3596 DPT=3128 WINDOW=64240 RES=0x00 SYN URGP=0 ..... I supposed that i should have seen 192.168.11.251 inside the log or the mac address that was listed in /etc/shorewall/maclist. Thanks for your time. Brian --- Tom Eastep <teastep@shorewall.net> wrote:> Diamond King wrote: > > > Hello there. I`ve into an issue with mac address > > filtering. Before that, i would like to explain > how my > > network looks like. This box serves up to 4 > network > > cards. with eth0 is 192.168.100.1, eth1 > > 192.168.11.254, eth2 = 192.168.13.254 and eth3 > > 192.168.15.254. > > > > As mentioned in the docs, i have inserted maclist > > option in /etc/shorewall/interfaces, configure > > /etc/shorewall/shorewall.conf to enable logging > and > > disposition and inserted this line into the > maclist :- > > > > eth1 00:0C:76:94:7B:E6 > > And that MAC address belongs to some host on the > physical network > connected to eth1, correct? > > > > > Then i restart the shorewall and it started to > block > > all those unrelated packets as well.. > > What does that mean???? Unrelated to what? > > > but thing is i > > cant see the mac address mentioned above being > > blocked. > > What do you mean "You can''t see it"? Do you mean > that you are not seeing > that MAC showing up in your logs? > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
Diamond King wrote:> Hello there again. Sorry for the question. i did not > provide clear information. anyway, i try to explain it > in much more clearer form this time. > > >>And that MAC address belongs to some host on the >>physical network >>connected to eth1, correct? > > Yes, and the MAC address IP is 192.168.11.251Please forward the output of "shorwall show eth1_mac" as an attachment. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Diamond King wrote: > >> Hello there again. Sorry for the question. i did not >> provide clear information. anyway, i try to explain it >> in much more clearer form this time. >> >> >>> And that MAC address belongs to some host on the >>> physical network connected to eth1, correct? >> >> >> Yes, and the MAC address IP is 192.168.11.251 > > > Please forward the output of "shorwall show eth1_mac" as an attachment. > Thanks, >Maybe we can solve this another way -- your initial post said that you put this entry in /etc/shorewall/maclist: eth1 00:0C:76:94:7B:E6 You do realize that this means that you want to *ACCEPT* traffic from that MAC through eth1, right? The setting of MACLIST_DISPOSITION in /etc/shorewall/shorewall.conf determines what happens to traffic that is *not* from the addresses listed in /etc/shorewall/maclist -- from the log messages you forwarded, it looks like MACLIST_DISPOSITION=DROP Possibly, what you really want is a DROP rule in /etc/shorewall/rules that drops (and possibly logs) traffic from that host: DROP:info z:~00-0C-76-94-7B-E6 all where ''z'' is the zone corresponding to eth1. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Tom Eastep wrote: > >> Diamond King wrote: >> >>> Hello there again. Sorry for the question. i did not >>> provide clear information. anyway, i try to explain it >>> in much more clearer form this time. >>> >>> >>>> And that MAC address belongs to some host on the >>>> physical network connected to eth1, correct? >>> >>> >>> >>> Yes, and the MAC address IP is 192.168.11.251 >> >> >> >> Please forward the output of "shorwall show eth1_mac" as an >> attachment. Thanks, >> > > Maybe we can solve this another way -- your initial post said that you > put this entry in /etc/shorewall/maclist: > > eth1 00:0C:76:94:7B:E6 > > You do realize that this means that you want to *ACCEPT* traffic from > that MAC through eth1, right? > > The setting of MACLIST_DISPOSITION in /etc/shorewall/shorewall.conf > determines what happens to traffic that is *not* from the addresses > listed in /etc/shorewall/maclist -- from the log messages you forwarded, > it looks like MACLIST_DISPOSITION=DROP > > Possibly, what you really want is a DROP rule in /etc/shorewall/rules > that drops (and possibly logs) traffic from that host: > > DROP:info z:~00-0C-76-94-7B-E6 all > > where ''z'' is the zone corresponding to eth1. >And note that you can also blacklist by MAC address: /etc/shorewall/blacklist: ~00-0C-76-94-7B-E6 And set the ''blacklist'' option on eth1 in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Dear Sir, First of all, sorry for those previous emails. I was confused with how blacklist and maclist works. I thought that if we put all those mac addresses into maclist, it will be blocked just like the way blacklist works. I would apologizes for any inconvience caused. Thanks a lot for your time. Bye!! Brian --- Tom Eastep <teastep@shorewall.net> wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > > > >> Diamond King wrote: > >> > >>> Hello there again. Sorry for the question. i did > not > >>> provide clear information. anyway, i try to > explain it > >>> in much more clearer form this time. > >>> > >>> > >>>> And that MAC address belongs to some host on > the > >>>> physical network connected to eth1, correct? > >>> > >>> > >>> > >>> Yes, and the MAC address IP is 192.168.11.251 > >> > >> > >> > >> Please forward the output of "shorwall show > eth1_mac" as an > >> attachment. Thanks, > >> > > > > Maybe we can solve this another way -- your > initial post said that you > > put this entry in /etc/shorewall/maclist: > > > > eth1 00:0C:76:94:7B:E6 > > > > You do realize that this means that you want to > *ACCEPT* traffic from > > that MAC through eth1, right? > > > > The setting of MACLIST_DISPOSITION in > /etc/shorewall/shorewall.conf > > determines what happens to traffic that is *not* > from the addresses > > listed in /etc/shorewall/maclist -- from the log > messages you forwarded, > > it looks like MACLIST_DISPOSITION=DROP > > > > Possibly, what you really want is a DROP rule in > /etc/shorewall/rules > > that drops (and possibly logs) traffic from that > host: > > > > DROP:info z:~00-0C-76-94-7B-E6 all > > > > where ''z'' is the zone corresponding to eth1. > > > > And note that you can also blacklist by MAC address: > > /etc/shorewall/blacklist: > > ~00-0C-76-94-7B-E6 > > And set the ''blacklist'' option on eth1 in > /etc/shorewall/interfaces. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >shor __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail
Btw, will the server performance degrades if i entered about 300-400 mac addresses in maclist? Diamond King <mercyful_fated@yahoo.com> wrote: Dear Sir, First of all, sorry for those previous emails. I was confused with how blacklist and maclist works. I thought that if we put all those mac addresses into maclist, it will be blocked just like the way blacklist works. I would apologizes for any inconvience caused. Thanks a lot for your time. Bye!! Brian --- Tom Eastep wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > > > >> Diamond King wrote: > >> > >>> Hello there again. Sorry for the question. i did > not > >>> provide clear information. anyway, i try to > explain it > >>> in much more clearer form this time. > >>> > >>> > >>>> And that MAC address belongs to some host on > the > >>>> physical network connected to eth1, correct? > >>> > >>> > >>> > >>> Yes, and the MAC address IP is 192.168.11.251 > >> > >> > >> > >> Please forward the output of "shorwall show > eth1_mac" as an > >> attachment. Thanks, > >> > > > > Maybe we can solve this another way -- your > initial post said that you > > put this entry in /etc/shorewall/maclist: > > > > eth1 00:0C:76:94:7B:E6 > > > > You do realize that this means that you want to > *ACCEPT* traffic from > > that MAC through eth1, right? > > > > The setting of MACLIST_DISPOSITION in > /etc/shorewall/shorewall.conf > > determines what happens to traffic that is *not* > from the addresses > > listed in /etc/shorewall/maclist -- from the log > messages you forwarded, > > it looks like MACLIST_DISPOSITION=DROP > > > > Possibly, what you really want is a DROP rule in > /etc/shorewall/rules > > that drops (and possibly logs) traffic from that > host: > > > > DROP:info z:~00-0C-76-94-7B-E6 all > > > > where ''z'' is the zone corresponding to eth1. > > > > And note that you can also blacklist by MAC address: > > /etc/shorewall/blacklist: > > ~00-0C-76-94-7B-E6 > > And set the ''blacklist'' option on eth1 in > /etc/shorewall/interfaces. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >shor __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers!
Btw, will the server performance degrades if i entered about 300-400 mac addresses in maclist? Diamond King <mercyful_fated@yahoo.com> wrote: Dear Sir, First of all, sorry for those previous emails. I was confused with how blacklist and maclist works. I thought that if we put all those mac addresses into maclist, it will be blocked just like the way blacklist works. I would apologizes for any inconvience caused. Thanks a lot for your time. Bye!! Brian --- Tom Eastep wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > > > >> Diamond King wrote: > >> > >>> Hello there again. Sorry for the question. i did > not > >>> provide clear information. anyway, i try to > explain it > >>> in much more clearer form this time. > >>> > >>> > >>>> And that MAC address belongs to some host on > the > >>>> physical network connected to eth1, correct? > >>> > >>> > >>> > >>> Yes, and the MAC address IP is 192.168.11.251 > >> > >> > >> > >> Please forward the output of "shorwall show > eth1_mac" as an > >> attachment. Thanks, > >> > > > > Maybe we can solve this another way -- your > initial post said that you > > put this entry in /etc/shorewall/maclist: > > > > eth1 00:0C:76:94:7B:E6 > > > > You do realize that this means that you want to > *ACCEPT* traffic from > > that MAC through eth1, right? > > > > The setting of MACLIST_DISPOSITION in > /etc/shorewall/shorewall.conf > > determines what happens to traffic that is *not* > from the addresses > > listed in /etc/shorewall/maclist -- from the log > messages you forwarded, > > it looks like MACLIST_DISPOSITION=DROP > > > > Possibly, what you really want is a DROP rule in > /etc/shorewall/rules > > that drops (and possibly logs) traffic from that > host: > > > > DROP:info z:~00-0C-76-94-7B-E6 all > > > > where ''z'' is the zone corresponding to eth1. > > > > And note that you can also blacklist by MAC address: > > /etc/shorewall/blacklist: > > ~00-0C-76-94-7B-E6 > > And set the ''blacklist'' option on eth1 in > /etc/shorewall/interfaces. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >shor __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm --------------------------------- Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish.
Btw, will the server performance degrades if i entered about 300-400 mac addresses in maclist? Diamond King <mercyful_fated@yahoo.com> wrote: Dear Sir, First of all, sorry for those previous emails. I was confused with how blacklist and maclist works. I thought that if we put all those mac addresses into maclist, it will be blocked just like the way blacklist works. I would apologizes for any inconvience caused. Thanks a lot for your time. Bye!! Brian --- Tom Eastep wrote:> Tom Eastep wrote: > > Tom Eastep wrote: > > > >> Diamond King wrote: > >> > >>> Hello there again. Sorry for the question. i did > not > >>> provide clear information. anyway, i try to > explain it > >>> in much more clearer form this time. > >>> > >>> > >>>> And that MAC address belongs to some host on > the > >>>> physical network connected to eth1, correct? > >>> > >>> > >>> > >>> Yes, and the MAC address IP is 192.168.11.251 > >> > >> > >> > >> Please forward the output of "shorwall show > eth1_mac" as an > >> attachment. Thanks, > >> > > > > Maybe we can solve this another way -- your > initial post said that you > > put this entry in /etc/shorewall/maclist: > > > > eth1 00:0C:76:94:7B:E6 > > > > You do realize that this means that you want to > *ACCEPT* traffic from > > that MAC through eth1, right? > > > > The setting of MACLIST_DISPOSITION in > /etc/shorewall/shorewall.conf > > determines what happens to traffic that is *not* > from the addresses > > listed in /etc/shorewall/maclist -- from the log > messages you forwarded, > > it looks like MACLIST_DISPOSITION=DROP > > > > Possibly, what you really want is a DROP rule in > /etc/shorewall/rules > > that drops (and possibly logs) traffic from that > host: > > > > DROP:info z:~00-0C-76-94-7B-E6 all > > > > where ''z'' is the zone corresponding to eth1. > > > > And note that you can also blacklist by MAC address: > > /etc/shorewall/blacklist: > > ~00-0C-76-94-7B-E6 > > And set the ''blacklist'' option on eth1 in > /etc/shorewall/interfaces. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >shor __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm --------------------------------- Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage!
Diamond King wrote:> Btw, will the server performance degrades if i entered about 300-400 mac addresses in maclist? >Probably won''t be noticable since only outbound connection requests need to be checked against the list of addresses. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net