[Shorewall-newbies] SOURCE in rules

Jorge Almeida jalmeida at math.ist.utl.pt
Mon Dec 8 19:24:18 PST 2003

On Mon, 8 Dec 2003, Francesca C Smith wrote:
> 1: Use two rules 
> ACCEPT	net:~some_mac	net	fw	tcp	22
> ACCEPT	net:some_ip	net	fw	tcp	22

The doc at http://www.shorewall.net/Documentation.htm#Rules suggest that
a comma separated list would be OK, but I was not sure whether the
qualifiers have cummulative effect or are alternatives... 

> 2. Use the maclist functionality to do this .. 
> http://www.shorewall.net/configuration_file_basics.htm#MAC
> http://www.shorewall.net/MAC_Validation.html
> The later link seems to be a bit hard to find .. 
Actually, I had found it :)
But I want to force MAC verification only for connections to certain
ports, not for all connections from the net zone to the fw zone. That is
why the natural place for this directive would appear to be the rules
file. If this is not possible, maybe a possible solution would be to
define a special zone including the computers  which should be subject
to MAC verification; since this special zone and net would both correspond to eth0, they had to be defined in the hosts file; the problem is: how can I define the net zone, which corresponds to all NICs except the ones corresponding to the special zone?

Jorge Almeida

More information about the Shorewall-newbies mailing list