Hi folks Im currently doin firewall project.. the scenario is like this.. my application server open port number 3079 the server ip is 202.188.0.132. and now the port can be accessed from everywhere. Now i want to block all the everywhere accessed. But my problem is, the application will be accessed by few locations that doing transaction with the application server. and the said locations are using dynamic ip address. My question: - How can i implement the rules that block everything but at the same time allow the locations that using dynamic ip?.. I hope any suggestions from you expert out there? Im appreciate.. Thanks is advanced.. rgds shorewall.net@gmail.com
Amir Haris Ahmad wrote:> Hi folks > > Im currently doin firewall project.. the scenario is like this.. my > application server open port number 3079 the server ip is > 202.188.0.132 <http://202.188.0.132>. and now the port can be accessed > from everywhere. Now i want to block all the everywhere accessed. But > my problem is, the application will be accessed by few locations that > doing transaction with the application server. and the said locations > are using dynamic ip address. My question: > > - How can i implement the rules that block everything but at the same > time allow the locations that using dynamic ip?.. > > I hope any suggestions from you expert out there? > > Im appreciate..Amir, My knee jerk reaction would be to use a VPN. While it presents certain support issues in dealing with client''s machines, it''s certainly better than figuring out the dynamic IP ranges for all your client''s ISPs. Besides, your essentially authenticating by IP which isn''t secure at all. And if the authentication mechanism you have at port 3079 isn''t secure enough that you trust it open to the world- well why take the chance? Michael ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Amir Haris Ahmad wrote:> application server open port number 3079 the server ip is 202.188.0.132. and > now the port can be accessed from everywhere. Now i want to block all the > everywhere accessed. But my problem is, the application will be accessed by > few locations that doing transaction with the application server. and the > said locations are using dynamic ip address. My question: > > - How can i implement the rules that block everything but at the same time > allow the locations that using dynamic ip?.. >No, use a PROPER AUTH mechanism , with proper encrypition (TLS/SSL) and you will be OK. however, you can allow traffic to only the needed port ,from the whole subnet the allowed clients are using (with a proper auth system of course). but if your goal is not get cracked by " the bad guys outside" by protecting yourself banning countries, cities or whatever ugly thing.stay away.. it gives you a false sense of security.
Michael Cozzi wrote:> Amir, > > My knee jerk reaction would be to use a VPN. While it presents > certain support issues in dealing with client''s machines, it''s certainly > better than figuring out the dynamic IP ranges for all your client''s ISPs.Indeed. we have some nice articles...take a look.. http://www.shorewall.net/OPENVPN.html> Besides, your essentially authenticating by IP which isn''t secure at > all. And if the authentication mechanism you have at port 3079 isn''t > secure enough that you trust it open to the world- well why take the > chance? >Amir : That''s exactly the weekness of what are you trying to do right now.
Ermm.. well the application server is the critical database server.. at this time.. i need the fast solutions which mean using shorewall.. and on next stage.. i will figure out .. and perhaps using vpn... for now i found shorewall drop and shorewall allow. can the shorewall allow a certain ports? which mean allow port 3079.. e.g allow from 189.23.23.12 with 3079 port? On 1/31/06, Cristian Rodriguez <judas_iscariote@shorewall.net> wrote:> > Amir Haris Ahmad wrote: > > > application server open port number 3079 the server ip is 202.188.0.132. > and > > now the port can be accessed from everywhere. Now i want to block all > the > > everywhere accessed. But my problem is, the application will be accessed > by > > few locations that doing transaction with the application server. and > the > > said locations are using dynamic ip address. My question: > > > > - How can i implement the rules that block everything but at the same > time > > allow the locations that using dynamic ip?.. > > > > No, use a PROPER AUTH mechanism , with proper encrypition (TLS/SSL) and > you will be OK. > > however, you can allow traffic to only the needed port ,from the whole > subnet the allowed clients are using (with a proper auth system of > course). > > > but if your goal is not get cracked by " the bad guys outside" by > protecting yourself banning countries, cities or whatever ugly > thing.stay away.. it gives you a false sense of security. > > > > > > > > > > >
-----Original Message----- Subject: [Shorewall-users] Need help and advised - How can i implement the rules that block everything but at the same time allow the locations that using dynamic ip?.. I hope any suggestions from you expert out there? Im appreciate.. Thanks is advanced.. ---- Just a sugestion Allow http only from a list of Dynamic ip's in the 192.168.1.0 range and refuse the rest of the world. WEB/ACCEPT net:192.168.1.0/24 fw I use whois tool to find the ip Blocks of certain hosts.. whois -h whois.<provider>.net <ip address> HTH Brian
Thanks wubba, But i think we are using public network.. which mean ppl from the same country.. can accessed my network.. Michael Cozzi well nice to read OpenVPN.. i will looking foward on the said solution. but i need fast on what we had disscused early? about how to allow ip with port? On 1/31/06, Venom User <wubba@vipershells.com> wrote:> > > > -----Original Message----- > *Subject:* [Shorewall-users] Need help and advised > > - How can i implement the rules that block everything but at the same time > allow the locations that using dynamic ip?.. > > I hope any suggestions from you expert out there? > > Im appreciate.. > > Thanks is advanced.. > > > ---- > > Just a sugestion > > Allow http only from a list of Dynamic ip''s in the 192.168.1.0 range > and refuse the rest of the world. > > WEB/ACCEPT net:192.168.1.0/24 fw > > I use whois tool to find the ip Blocks of certain hosts.. > > whois -h whois.<provider>.net <ip address> > > HTH > Brian > >
Amir Haris Ahmad wrote:> Ermm.. well the application server is the critical database server..That''s another reason to implement a decent solution right now. at this> time.. i need the fast solutionsFast solutions ... no. security needs REAL ,reliable,manageable solutions. which mean using shorewall.. and on next> stage.. i will figure out .. and perhaps using vpn... for now i found > shorewall drop and shorewall allow. can the shorewall allow a certain ports? > which mean allow port 3079.. e.g allow from 189.23.23.12 with 3079 port? > >/etc/shorewall/rules ACCEPT net:189.23.23.12 <zoneof-the-internal-system>:ip-of-the-internal-system tcp 3079 good luck, and you have been warned.
Michael Cozzi ... i will study about the OpenVPN On 1/31/06, Cristian Rodriguez <judas_iscariote@shorewall.net> wrote:> > Amir Haris Ahmad wrote: > > Ermm.. well the application server is the critical database server.. > > That''s another reason to implement a decent solution right now. > > at this > > time.. i need the fast solutions > > Fast solutions ... no. security needs REAL > ,reliable,manageable solutions. > > which mean using shorewall.. and on next > > stage.. i will figure out .. and perhaps using vpn... for now i found > > shorewall drop and shorewall allow. can the shorewall allow a certain > ports? > > which mean allow port 3079.. e.g allow from 189.23.23.12 with 3079 port? > > > > > > /etc/shorewall/rules > > ACCEPT net:189.23.23.12 > > <zoneof-the-internal-system>:ip-of-the-internal-system tcp 3079 > > > good luck, and you have been warned. > > > > > >
Amir Haris, Why don''t you plan your work and work your plan, you will waste your effort if you are in hurry. As far as I know, shorewall.net is the best documented package I had ever seen. Spend some time reading and understand it. This goes the same to OpenVPN or any that you may come across. RTFM Amir Haris Ahmad <shorewall.net@gmail.com> wrote: Michael Cozzi ... i will study about the OpenVPN On 1/31/06, Cristian Rodriguez <judas_iscariote@shorewall.net> wrote: Amir Haris Ahmad wrote:> Ermm.. well the application server is the critical database server..That''s another reason to implement a decent solution right now. at this> time.. i need the fast solutionsFast solutions ... no. security needs REAL ,reliable,manageable solutions. which mean using shorewall.. and on next> stage.. i will figure out .. and perhaps using vpn... for now i found > shorewall drop and shorewall allow. can the shorewall allow a certain ports? > which mean allow port 3079.. e.g allow from 189.23.23.12 with 3079 port? > >/etc/shorewall/rules ACCEPT net:189.23.23.12 <zoneof-the-internal-system>:ip-of-the-internal-system tcp 3079 good luck, and you have been warned. --------------------------------- Yahoo! Autos. Looking for a sweet ride? Get pricing, reviews, & more on new and used cars.
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Have you tried using filters based on the incoming MAC address?
<br>
<br>
<br>
Amir Haris Ahmad wrote:
<blockquote
cite="mid994bd570601301938v604f46a6kae4c9dab3f772cc4@mail.gmail.com"
type="cite"><span>Michael Cozzi ... i will study
about the OpenVPN</span><br>
<br>
<div><span class="gmail_quote">On 1/31/06, <b
class="gmail_sendername">Cristian Rodriguez</b>
<<a
href="mailto:judas_iscariote@shorewall.net">judas_iscariote@shorewall.net</a>>
wrote:</span>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px
0.8ex; padding-left: 1ex;">Amir
Haris Ahmad wrote:<br>
> Ermm.. well the application server is the critical database
server..<br>
<br>
That''s another reason to implement a decent solution right
now.<br>
<br>
at this<br>
> time.. i need the fast solutions<br>
<br>
Fast solutions ... no. security needs REAL
,reliable,manageable solutions.<br>
<br>
which mean using shorewall.. and on next
<br>
> stage.. i will figure out .. and perhaps using vpn... for now i
found<br>
> shorewall drop and shorewall allow. can the shorewall allow a
certain ports?<br>
> which mean allow port 3079.. e.g allow from <a
href="http://189.23.23.12">
189.23.23.12</a> with 3079 port?<br>
><br>
><br>
<br>
/etc/shorewall/rules<br>
<br>
ACCEPT net:<a
href="http://189.23.23.12">189.23.23.12</a><br>
<br>
<zoneof-the-internal-system>:ip-of-the-internal-system tcp 3079
<br>
<br>
<br>
good luck, and you have been warned.<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
</div>
<br>
</blockquote>
<br>
</body>
</html>
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Consider Port Knocking -> http://www.shorewall.net/PortKnocking.html Amir Haris Ahmad <shorewall.net@gmail.com> wrote: Hi folks Im currently doin firewall project.. the scenario is like this.. my application server open port number 3079 the server ip is 202.188.0.132. and now the port can be accessed from everywhere. Now i want to block all the everywhere accessed. But my problem is, the application will be accessed by few locations that doing transaction with the application server. and the said locations are using dynamic ip address. My question: - How can i implement the rules that block everything but at the same time allow the locations that using dynamic ip?.. I hope any suggestions from you expert out there? Im appreciate.. Thanks is advanced.. rgds shorewall.net@gmail.com --------------------------------- Bring words and photos together (easily) with PhotoMail - it''s free and works with Yahoo! Mail. --------------------------------- What are the most popular cars? Find out at Yahoo! Autos
Patrick Jacques wrote:> Have you tried using filters based on the incoming MAC address?That will not work. hosts are outside his network...
mynullvoid wrote:> Consider Port Knocking -> http://www.shorewall.net/PortKnocking.htmlNo, you shouldn''t. :P
Cristian Rodriguez wrote:> mynullvoid wrote: >>Consider Port Knocking -> http://www.shorewall.net/PortKnocking.html > > No, you shouldn''t. :PIt might help to explain why... ;-) ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Paul Gear wrote:> Cristian Rodriguez wrote: >> mynullvoid wrote: >>> Consider Port Knocking -> http://www.shorewall.net/PortKnocking.html >> No, you shouldn''t. :P > > It might help to explain why... ;-) >Dear Paul : we had proposed A real solution to the OP. ;-) Port Knocking will simple mess even more the things and will not achieve the needed goal at all. ;-)
I know it sounds wieard , but is it possible to have a
rule like this ?
i want to allow this mac if its coming from this ip
address ?
:)
regards
*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
S t i n g r a y wrote:> I know it sounds wieard , but is it possible to have a > rule like this ? > > i want to allow this mac if its coming from this ip > address ?It''s possible, but it''s only useful on the local LAN. A MAC address is a *link-layer* address and doesn''t ever get transmitted across the Internet. Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Well.. i will consider to use OpenVPN.. but for time being.. i think i will do this way.. all ips will be fowarded to somewhere and the allowed ip addr will be fowarded to real application server... erm lemannnnnnnnnnnnnnnn Thanks everyone, Luv u all rgds On 1/31/06, Cristian Rodriguez <judas_iscariote@shorewall.net> wrote:> > Paul Gear wrote: > > Cristian Rodriguez wrote: > >> mynullvoid wrote: > >>> Consider Port Knocking -> http://www.shorewall.net/PortKnocking.html > >> No, you shouldn''t. :P > > > > It might help to explain why... ;-) > > > > Dear Paul : > > we had proposed A real solution to the OP. ;-) > > Port Knocking will simple mess even more the things and will not achieve > the needed goal at all. ;-) > > > >
Paul Gear wrote:> S t i n g r a y wrote: > >> I know it sounds wieard , but is it possible to have a >> rule like this ? >> >> i want to allow this mac if its coming from this ip >> address ? >> > > It''s possible, but it''s only useful on the local LAN. A MAC address is > a *link-layer* address and doesn''t ever get transmitted across the Internet. >Paul, That''s not entirely true. You could e-mail it to the remote site. That''s *mail-layer-auth* for all the amateurs... Very advanced.... Just being deployed.... It''s RFC 43561 and 1/3 (b). The old RFC 43561 and 1/3 (a) protocol was pretty nice too. If you had the specified pen and paper, you could be totally without data-link, and you could still send a MAC address- though it did take 3 to 5 days. (I know- I need to cut down on the coffee...I hope no one is humor impaired) Michael :P ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 stingray, Or if you just want to have an IP / MAC pairing security, you can use IPSentinel. http://www.nongnu.org/ip-sentinel/ Kenneth P. Oncinian Panasonic Communications Philippines Corporation Information Systems Division - Network and Infrastructure Department - -- PGP Public Key: http://m.1asphost.com/koncinian/koncinian.gnupg.key Paul Gear wrote:> S t i n g r a y wrote: >> I know it sounds wieard , but is it possible to have a rule like >> this ? >> >> i want to allow this mac if its coming from this ip address ? > > It''s possible, but it''s only useful on the local LAN. A MAC > address is a *link-layer* address and doesn''t ever get transmitted > across the Internet. > > Paul > > > > ------------------------------------------------------- This SF.net > email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that > makes searching your log files as easy as surfing the web. > DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ Shorewall-users > mailing list Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD3wKD9MTaiXoaMBgRApopAJ94cohemls+hCM4LPYujL4rqamzgACfRp5I WEsYaI34fUjHNjtjpyuXSzk=9Od3 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
ok thanks can you guide me to a how to ? --- Paul Gear <pgear@redlands.qld.edu.au> wrote:> S t i n g r a y wrote: > > I know it sounds wieard , but is it possible to > have a > > rule like this ? > > > > i want to allow this mac if its coming from this > ip > > address ? > > It''s possible, but it''s only useful on the local > LAN. A MAC address is > a *link-layer* address and doesn''t ever get > transmitted across the Internet. > > Paul > > > >-------------------------------------------------------> This SF.net email is sponsored by: Splunk Inc. Do > you grep through log files > for problems? Stop! Download the new AJAX search > engine that makes > searching your log files as easy as surfing the > web. DOWNLOAD SPLUNK! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
but can we configure IPSentinel ip+mac restriction manually ? or is it automatic ? thanks --- Kenneth Oncinian <kenneth.oncinian@ph.panasonic.com> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > stingray, > > Or if you just want to have an IP / MAC pairing > security, > you can use IPSentinel. > http://www.nongnu.org/ip-sentinel/ > > Kenneth P. Oncinian > Panasonic Communications Philippines Corporation > Information Systems Division - Network and > Infrastructure Department > - -- > PGP Public Key: > http://m.1asphost.com/koncinian/koncinian.gnupg.key > > > > Paul Gear wrote: > > S t i n g r a y wrote: > >> I know it sounds wieard , but is it possible to > have a rule like > >> this ? > >> > >> i want to allow this mac if its coming from this > ip address ? > > > > It''s possible, but it''s only useful on the local > LAN. A MAC > > address is a *link-layer* address and doesn''t ever > get transmitted > > across the Internet. > > > > Paul > > > > > > > > >-------------------------------------------------------> This SF.net > > email is sponsored by: Splunk Inc. Do you grep > through log files > > for problems? Stop! Download the new AJAX search > engine that > > makes searching your log files as easy as surfing > the web. > > DOWNLOAD SPLUNK! > > >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642> > _______________________________________________ > Shorewall-users > > mailing list Shorewall-users@lists.sourceforge.net > > >https://lists.sourceforge.net/lists/listinfo/shorewall-users> -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - > http://enigmail.mozdev.org > >iD8DBQFD3wKD9MTaiXoaMBgRApopAJ94cohemls+hCM4LPYujL4rqamzgACfRp5I> WEsYaI34fUjHNjtjpyuXSzk> =9Od3 > -----END PGP SIGNATURE----- > > > >-------------------------------------------------------> This SF.net email is sponsored by: Splunk Inc. Do > you grep through log files > for problems? Stop! Download the new AJAX search > engine that makes > searching your log files as easy as surfing the > web. DOWNLOAD SPLUNK! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 you have to specify the pairings manually, If its automatic, you have defeated its purpose, which is to lock a MAC to a specific IP address. regards, Kenneth P. Oncinian Panasonic Communications Philippines Corporation Information Systems Division - Network and Infrastructure Department - -- PGP Public Key: http://m.1asphost.com/koncinian/koncinian.gnupg.key S t i n g r a y wrote:> but can we configure IPSentinel ip+mac restriction manually ? or is > it automatic ? > > > thanks > > > --- Kenneth Oncinian <kenneth.oncinian@ph.panasonic.com> wrote: > > stingray, > > Or if you just want to have an IP / MAC pairing security, you can > use IPSentinel. http://www.nongnu.org/ip-sentinel/ > > Kenneth P. Oncinian Panasonic Communications Philippines > Corporation Information Systems Division - Network and > Infrastructure Department -- PGP Public Key: > http://m.1asphost.com/koncinian/koncinian.gnupg.key > > > > Paul Gear wrote: >>>> S t i n g r a y wrote: >>>>> I know it sounds wieard , but is it possible to > have a rule like >>>>> this ? >>>>> >>>>> i want to allow this mac if its coming from this > ip address ? >>>> It''s possible, but it''s only useful on the local > LAN. A MAC >>>> address is a *link-layer* address and doesn''t ever > get transmitted >>>> across the Internet. >>>> >>>> Paul >>>> >>>> >>>> >>>> >> ------------------------------------------------------- > This SF.net >>>> email is sponsored by: Splunk Inc. Do you grep > through log files >>>> for problems? Stop! Download the new AJAX search > engine that >>>> makes searching your log files as easy as surfing > the web. >>>> DOWNLOAD SPLUNK! >>>> >> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > >>>> _______________________________________________ > Shorewall-users >>>> mailing list Shorewall-users@lists.sourceforge.net >>>> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >>> >> ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through > log files for problems? Stop! Download the new AJAX search engine > that makes searching your log files as easy as surfing the web. > DOWNLOAD SPLUNK! >>> >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 >> > _______________________________________________ Shorewall-users > mailing list Shorewall-users@lists.sourceforge.net >>> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > >> *º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤ > > > > >> __________________________________________________ Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com > > >> ------------------------------------------------------- This >> SF.net email is sponsored by: Splunk Inc. Do you grep through log >> files for problems? Stop! Download the new AJAX search engine >> that makes searching your log files as easy as surfing the web. >> DOWNLOAD SPLUNK! >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 >> _______________________________________________ Shorewall-users >> mailing list Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD3xI/9MTaiXoaMBgRAjblAJ43t3bci/5CQSg+2CGKLhKlfLtXAwCePbtK o3U9pEmcSHhej7DlQxj4wDw=oxz8 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Thanks :) --- Kenneth Oncinian <kenneth.oncinian@ph.panasonic.com> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > you have to specify the pairings manually, > If its automatic, you have defeated its purpose, > which is to > lock a MAC to a specific IP address. > > > regards, > > Kenneth P. Oncinian > Panasonic Communications Philippines Corporation > Information Systems Division - Network and > Infrastructure Department > - -- > PGP Public Key: > http://m.1asphost.com/koncinian/koncinian.gnupg.key > > > > S t i n g r a y wrote: > > but can we configure IPSentinel ip+mac restriction > manually ? or is > > it automatic ? > > > > > > thanks > > > > > > --- Kenneth Oncinian > <kenneth.oncinian@ph.panasonic.com> wrote: > > > > stingray, > > > > Or if you just want to have an IP / MAC pairing > security, you can > > use IPSentinel. http://www.nongnu.org/ip-sentinel/ > > > > Kenneth P. Oncinian Panasonic Communications > Philippines > > Corporation Information Systems Division - Network > and > > Infrastructure Department -- PGP Public Key: > > > http://m.1asphost.com/koncinian/koncinian.gnupg.key > > > > > > > > Paul Gear wrote: > >>>> S t i n g r a y wrote: > >>>>> I know it sounds wieard , but is it possible > to > > have a rule like > >>>>> this ? > >>>>> > >>>>> i want to allow this mac if its coming from > this > > ip address ? > >>>> It''s possible, but it''s only useful on the > local > > LAN. A MAC > >>>> address is a *link-layer* address and doesn''t > ever > > get transmitted > >>>> across the Internet. > >>>> > >>>> Paul > >>>> > >>>> > >>>> > >>>> > >> >-------------------------------------------------------> > This SF.net > >>>> email is sponsored by: Splunk Inc. Do you grep > > through log files > >>>> for problems? Stop! Download the new AJAX > search > > engine that > >>>> makes searching your log files as easy as > surfing > > the web. > >>>> DOWNLOAD SPLUNK! > >>>> > >> > > >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642> > > >>>> _______________________________________________ > > Shorewall-users > >>>> mailing list > Shorewall-users@lists.sourceforge.net > >>>> > >> >https://lists.sourceforge.net/lists/listinfo/shorewall-users> >>> > >>> > >>> > >>> > >> >-------------------------------------------------------> > This SF.net email is sponsored by: Splunk Inc. Do > you grep through > > log files for problems? Stop! Download the new > AJAX search engine > > that makes searching your log files as easy as > surfing the web. > > DOWNLOAD SPLUNK! > >>> > >> >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642> >> > > _______________________________________________ > Shorewall-users > > mailing list Shorewall-users@lists.sourceforge.net > >>> > >> >https://lists.sourceforge.net/lists/listinfo/shorewall-users> > > >> *��., ��,.��*���*� Stingray*��., ��,.��*��*�> > > > > > > > > >> > __________________________________________________ > Do You Yahoo!? > >> Tired of spam? Yahoo! Mail has the best spam > protection around > >> http://mail.yahoo.com > > > > > >> >-------------------------------------------------------> This > >> SF.net email is sponsored by: Splunk Inc. Do you > grep through log > >> files for problems? Stop! Download the new AJAX > search engine > >> that makes searching your log files as easy as > surfing the web. > >> DOWNLOAD SPLUNK! > >> >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642> >> _______________________________________________ > Shorewall-users > >> mailing list > Shorewall-users@lists.sourceforge.net > >> >https://lists.sourceforge.net/lists/listinfo/shorewall-users> -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - > http://enigmail.mozdev.org > >iD8DBQFD3xI/9MTaiXoaMBgRAjblAJ43t3bci/5CQSg+2CGKLhKlfLtXAwCePbtK> o3U9pEmcSHhej7DlQxj4wDw> =oxz8 > -----END PGP SIGNATURE----- > > > >-------------------------------------------------------> This SF.net email is sponsored by: Splunk Inc. Do > you grep through log files > for problems? Stop! Download the new AJAX search > engine that makes > searching your log files as easy as surfing the > web. DOWNLOAD SPLUNK! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642