[Shorewall-newbies] A few shorewall questions

Tom Eastep teastep at shorewall.net
Sun Feb 22 08:02:31 PST 2004


On Sunday 22 February 2004 01:23 am, David Shepherd wrote:
> I'm a student network administrator for the condo complex I live in.  I
> have 2 main questions about shorewall:
>
> 1.)  Can the rules/policy config be updated without having to completely
> restarting shorewall?  How would I go about doing this?  Or is this just
> something that I shouldn't worry about?  I just get easy complaints from
> the students that live here (being the internet is used 24-7 in a
> college complex) if the system goes down for even a minute.  I would
> like to prevent this.

There is no way to do that -- but see FAQ #34 
(http://shorewall.net/FAQ.htm#faq34).

>
> 2.)  I want to setup an intranet web server on the linux box that
> shorewall is running on so the residents can register themselves with
> me.  I actually was hoping there was a way to have a web script to run
> on this site that will automatically enter the mac address (that they
> specify in one of the fields as their systems mac address on the
> website) into the mac list so they can only access the internet after
> they register with me.  This is a way that I can know who is who when
> running the sniffer so if I need to knock them off for abuse, I know who
> it is so I can notify them first.  I will have a third NIC card that is
> connected to the internal network that will only allow connection to
> this web server where they can register.  Then the other two NICs are
> used for the internet access.  Is this even possible for a web script to
> add their mac address to the mac list of shorewall?  And will shorewall
> restrict the people that are not on this mac list from the internet?
> Would doing a "shorewall refresh" update the mac list instead of having
> to restart shorewall completely ever time a user is added?  We only have
> about 400 nodes but I don't want to have to reboot the system when we
> get new macs added.  About half the condos are rented out and we have
> turnovers every semester with about 100-200 new or different MAC
> addresses.  I will manually remove the old macs, I just want to know if
> it's possible to add macs to a mac list for an access control.  Only
> macs on this list are let through, kind of an opposite of blacklist.
>

What you are asking is possible but again, the maclist is only rebuilt on 
"shorewall restart".

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list