Shorewall users - Sep 2004 - Rules by Mac Address

Hi,
 
I am using Shorewall in Adamantix. At the moment everything flow fine, my
question is that how can I filter the access by computer mac address, I had read
the documentation maybe I am ''stupid enough to spot the guide, if so
please show me''.
 
What is the rules line if I want to 
1. limit ~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03 to access
202.202.202.202 only
2. others can access port 80,445,25
 
ACCEPT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03
202.202.202.202 tcp
ACCEPT loc net - 80,445,25
 
I am 
 
Thank in advance

		
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!

Hi,
 
I am using Shorewall in Adamantix. At the moment everything flow fine, my
question is that how can I filter the access by computer mac address, I had read
the documentation maybe I am ''stupid enough to spot the guide, if so
please show me''.
 
What is the rules line if I want to 
1. limit ~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03 to access
202.202.202.202 only
2. others can access port 80,445,25
 
ACCEPT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03
202.202.202.202 tcp
ACCEPT loc net - 80,445,25
 
I am using 
 
Thank in advance

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mynullvoid wrote:
| Hi,
|
| I am using Shorewall in Adamantix. At the moment everything flow fine,
my question is that how can I filter the access by computer mac address,
I had read the documentation maybe I am ''stupid enough to spot the
guide, if so please show me''.
|
| What is the rules line if I want to
| 1. limit ~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03
to access 202.202.202.202 only
| 2. others can access port 80,445,25
|
| ACCEPT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03
202.202.202.202 tcp
| ACCEPT loc net - 80,445,25
|

ACCEPT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03 \
	net:202.202.202.202 all
REJECT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03 \
	net		     all
ACCEPT	loc	net	     tcp	80,445,25

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNefjO/MAbZfjDLIRAgHkAKCue069guvjyhJjq9CaWWRvi9n6hACdHBOz
D9U+49ZJDarZPRkafXwqmvg=+flb
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| mynullvoid wrote:
| | Hi,
| |
| | I am using Shorewall in Adamantix. At the moment everything flow fine,
| my question is that how can I filter the access by computer mac address,
| I had read the documentation maybe I am ''stupid enough to spot the
| guide, if so please show me''.
| |
| | What is the rules line if I want to
| | 1. limit ~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03
| to access 202.202.202.202 only
| | 2. others can access port 80,445,25
| |
| | ACCEPT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03
| 202.202.202.202 tcp
| | ACCEPT loc net - 80,445,25
| |
|
| ACCEPT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03 \
|     net:202.202.202.202 all
| REJECT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03 \
|     net             all
| ACCEPT    loc    net         tcp    80,445,25
|

BTW -- I suspect you want TCP port 443 (https) rather than 445
(microsoft-ds).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNerZO/MAbZfjDLIRApPrAJ9RtVCkrmvlTOH4TmLKIgLOw2B+jgCgtaCk
xJY/OMSF1ov9IjxVeGVFvyY=GTf2
-----END PGP SIGNATURE-----

I had tried as your guide but still my other client able to access the internet
at any site. Attached is the rule files, FYI I had loaded the kernel mac module.
 
Please assist.

Tom Eastep <teastep@shorewall.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| mynullvoid wrote:
| | Hi,
| |
| | I am using Shorewall in Adamantix. At the moment everything flow fine,
| my question is that how can I filter the access by computer mac address,
| I had read the documentation maybe I am ''stupid enough to spot the
| guide, if so please show me''.
| |
| | What is the rules line if I want to
| | 1. limit ~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03
| to access 202.202.202.202 only
| | 2. others can access port 80,445,25
| |
| | ACCEPT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03
| 202.202.202.202 tcp
| | ACCEPT loc net - 80,445,25
| |
|
| ACCEPT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03 \
| net:202.202.202.202 all
| REJECT loc:~01-01-01-01-01-01,~02-02-02-02-02-02,~03-03-03-03-03-03-03 \
| net all
| ACCEPT loc net tcp 80,445,25
|

BTW -- I suspect you want TCP port 443 (https) rather than 445
(microsoft-ds).

- -Tom
- --
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBNerZO/MAbZfjDLIRApPrAJ9RtVCkrmvlTOH4TmLKIgLOw2B+jgCgtaCk
xJY/OMSF1ov9IjxVeGVFvyY=GTf2
-----END PGP SIGNATURE-----
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm


		
---------------------------------
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.

On Thursday 02 September 2004 02:28, mynullvoid wrote:
> I had tried as your guide but still my other client able to access the
> internet at any site. Attached is the rule files, FYI I had loaded the
> kernel mac module.
>
> Please assist.
>
I don''t know what I can tell you from simply looking at your rules
file.

a) I''m not at your site where I can see what the MAC addresses involved
really
are.
b) I cannot watch you while you test your rules to see if you are actually 
creating new connections or are simply reusing existing connections.
c) I cannot see the iptables rules that Shorewall is generating from your 
input ("shorewall status" output as an attachment would be helpful).
d) I cannot watch the packet counters in those rules to tell which rule is 
allowing the connections (but if you "shorewall reset" before testing
then
the "shorewall status" output will show that information).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mynullvoid wrote:
| Ok, Attach are two files, shorestatus is shorewall
| status and iplist is iptables -L

I''ve not forwarded your post to the list -- the shorestatus file large
and the iplist file is useless (it contains a subset of what is in
shorestatus).

|
| I hope this would assist you in helping me and others
| that might have similiar problem that I am facing.
|

The MAC-based rules appear to be doing what you want. What I believe
that you have overlooked is that you need to set the loc->net policy to
REJECT rather than ACCEPT.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBPHdzO/MAbZfjDLIRAqgZAKCiDeZKJRujL5tkifjj8PNNzn26owCgjylc
wb4xEyY3JUk+40jZRh/dHgs=ABK/
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mynullvoid wrote:
| Dear Tom Eastep,
|
| Thanks on the assistance, I will try to change the policy from loc ->
| inet to reject instead of accept.
|
| On the rules order, which one should be put first reject or accept?

As clearly stated at the top of the rules file:

	"the rules are evaluated in the order in which they appear in
	this file and the first match is the one that determines the 	
	disposition of the request"

So that means that the order of the rules needs to be such that it does
what you want the rules to do. Except for LOG, once a connection request
matches a rule then that request is not evaluated against any rules
further down in the rules file.

|
| If you think that my rules needed to be re-written, please guide me in
| this as well, since I am thinking that there must be a clean way to
| construct the rules.

I''m sorry -- there are just too many Shorewall users for me to be in
the
business of handholding each user in writing their rules.

|
| Other question is that, I had loaded the mac and arp module from the
| kernel, should I change any config on shorewall.conf?
|

I''m unclear on which modules you are referring to.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBPcm/O/MAbZfjDLIRAh9DAKCsuqzqG8A4vFfBNqbe3g/SIDI8CgCeLW4J
fz6sjc4Y2dO5s7fBMbFLA74=HOef
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mynullvoid wrote:
| I think I know what hapenning, allow me to explain on
| what I am trying to do.
|
| 1. I only want to allow certain client to access the
| whole internet controled by their mac ip, which mean
| the listed mac address are the good address.
| 2. The rest of the client can only access spesific ip
| 3. The allowed ports are only 80,443,110
|
| btw: I am running transparent squid at 3128

We could have both saved ourselves a lot of time and frustration if you
would have included that detail at the outset.

|
| I think the rule I wrote with your assistance is to
| control the client which with the mac address.
|

Yes -- If you turn off the transparent proxy, the rules that you wrote
will work fine. Unfortunately, there is no way that I can think of to do
what you want with a transparent proxy using standard Shorewall rules.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBPxZnO/MAbZfjDLIRAh2iAJ9BrjgFynW5Fz+LLJ0McyrkIZWLPwCggD70
WKyXNEPkSFJR3OZjQPFMzN4=EhIs
-----END PGP SIGNATURE-----