[Shorewall-newbies] SOURCE in rules

Francesca C Smith fsmith at ladylinux.com
Mon Dec 8 13:20:47 PST 2003


On Mon, 2003-12-08 at 11:08, Jorge Almeida wrote:
> Hi,
> I could use some help with the syntax for source restricting  in
> /etc/shorewall/rules.
> Suppose that the variables SOME_IP and SOME_MAC are set in
> /etc/shorewall/params (where SOME_IP is an IP number and SOME_MAC is a
> hardware address in the shorewall format).  What would the following line in
> /etc/shorewall/rules do?
> ACCEPT	net:$SOME_IP,$SOME_MAC	fw	tcp	22
> 
> I'm assuming that a tcp connection to port 22 would be accepted if
> it came from the $SOME_IP ip *OR* from the $SOME_MAC hardware address.
> Am I right?
> Now, suppose that I want to accept connections from a unique NIC,
> identified by both its ip number *AND* its hardware address, for good
> measure (call me paranoid). If $SOME_IP and $SOME_MAC correspond to the
> same NIC, would the following line do the job?
> 
> ACCEPT  net:$SOME_IP:$SOME_MAC  fw      tcp     22
> 
> (All this refers to a standalone machine setup with standard
> /etc/shorewall/policy)
> 
> TIA.

Hello,

I am not sure if you can combine both a IP and a MAC address in a rule
together .. But two things might work .. And I will ask others to
comment here

1: Use two rules 

ACCEPT	net:~some_mac	net	fw	tcp	22
ACCEPT	net:some_ip	net	fw	tcp	22

Note: Mac rules need the "~" before them for shorewall to work right . 

2. Use the maclist functionality to do this .. 

Look Here For Details .. 

http://www.shorewall.net/configuration_file_basics.htm#MAC

http://www.shorewall.net/MAC_Validation.html

The later link seems to be a bit hard to find .. But the shorewall
documentation is being improved ..

Francesca

-- 
No Problems Only Solutions
Lady Linux Internet Services
Baltimore, MD



More information about the Shorewall-newbies mailing list