[Shorewall-newbies] A few shorewall questions

David Shepherd sdave at ufl.edu
Sun Feb 22 11:25:42 PST 2004


Okay, I will probably just have something that automatically restarts
shorewall every 24 hours so that maclist will get updated every night.
Maybe at like 5 am in the morning when our usage is low.  So at least it
is possible to have the maclist only allow the macs on its list.

> When you said this:
> Note though that there is nothing preventing your script from
inserting a > rule into the chain ethN_mac where ethN is the internal
interface used for > internet access.

Do you mean instead of using the maclist, should I just insert rules for
these mac addresses to allow them to access the net?

-----Original Message-----
From: Tom Eastep [mailto:teastep at shorewall.net] 
Sent: Sunday, February 22, 2004 11:03 AM
To: David Shepherd; shorewall-newbies at lists.shorewall.net
Subject: Re: [Shorewall-newbies] A few shorewall questions

On Sunday 22 February 2004 01:23 am, David Shepherd wrote:
> I'm a student network administrator for the condo complex I live in.
I
> have 2 main questions about shorewall:
>
> 1.)  Can the rules/policy config be updated without having to
completely
> restarting shorewall?  How would I go about doing this?  Or is this
just
> something that I shouldn't worry about?  I just get easy complaints
from
> the students that live here (being the internet is used 24-7 in a
> college complex) if the system goes down for even a minute.  I would
> like to prevent this.

There is no way to do that -- but see FAQ #34 
(http://shorewall.net/FAQ.htm#faq34).

>
> 2.)  I want to setup an intranet web server on the linux box that
> shorewall is running on so the residents can register themselves with
> me.  I actually was hoping there was a way to have a web script to run
> on this site that will automatically enter the mac address (that they
> specify in one of the fields as their systems mac address on the
> website) into the mac list so they can only access the internet after
> they register with me.  This is a way that I can know who is who when
> running the sniffer so if I need to knock them off for abuse, I know
who
> it is so I can notify them first.  I will have a third NIC card that
is
> connected to the internal network that will only allow connection to
> this web server where they can register.  Then the other two NICs are
> used for the internet access.  Is this even possible for a web script
to
> add their mac address to the mac list of shorewall?  And will
shorewall
> restrict the people that are not on this mac list from the internet?
> Would doing a "shorewall refresh" update the mac list instead of
having
> to restart shorewall completely ever time a user is added?  We only
have
> about 400 nodes but I don't want to have to reboot the system when we
> get new macs added.  About half the condos are rented out and we have
> turnovers every semester with about 100-200 new or different MAC
> addresses.  I will manually remove the old macs, I just want to know
if
> it's possible to add macs to a mac list for an access control.  Only
> macs on this list are let through, kind of an opposite of blacklist.
>

What you are asking is possible but again, the maclist is only rebuilt
on 
"shorewall restart".

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net






More information about the Shorewall-newbies mailing list