[Shorewall-newbies] A few shorewall questions

Tom Eastep teastep at shorewall.net
Sun Feb 22 08:02:31 PST 2004

On Sunday 22 February 2004 01:23 am, David Shepherd wrote:
> I'm a student network administrator for the condo complex I live in.  I
> have 2 main questions about shorewall:
> 1.)  Can the rules/policy config be updated without having to completely
> restarting shorewall?  How would I go about doing this?  Or is this just
> something that I shouldn't worry about?  I just get easy complaints from
> the students that live here (being the internet is used 24-7 in a
> college complex) if the system goes down for even a minute.  I would
> like to prevent this.

There is no way to do that -- but see FAQ #34 

> 2.)  I want to setup an intranet web server on the linux box that
> shorewall is running on so the residents can register themselves with
> me.  I actually was hoping there was a way to have a web script to run
> on this site that will automatically enter the mac address (that they
> specify in one of the fields as their systems mac address on the
> website) into the mac list so they can only access the internet after
> they register with me.  This is a way that I can know who is who when
> running the sniffer so if I need to knock them off for abuse, I know who
> it is so I can notify them first.  I will have a third NIC card that is
> connected to the internal network that will only allow connection to
> this web server where they can register.  Then the other two NICs are
> used for the internet access.  Is this even possible for a web script to
> add their mac address to the mac list of shorewall?  And will shorewall
> restrict the people that are not on this mac list from the internet?
> Would doing a "shorewall refresh" update the mac list instead of having
> to restart shorewall completely ever time a user is added?  We only have
> about 400 nodes but I don't want to have to reboot the system when we
> get new macs added.  About half the condos are rented out and we have
> turnovers every semester with about 100-200 new or different MAC
> addresses.  I will manually remove the old macs, I just want to know if
> it's possible to add macs to a mac list for an access control.  Only
> macs on this list are let through, kind of an opposite of blacklist.

What you are asking is possible but again, the maclist is only rebuilt on 
"shorewall restart".

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list