[Shorewall-newbies] A few shorewall questions
sdave at ufl.edu
Sun Feb 22 11:25:42 PST 2004
Okay, I will probably just have something that automatically restarts
shorewall every 24 hours so that maclist will get updated every night.
Maybe at like 5 am in the morning when our usage is low. So at least it
is possible to have the maclist only allow the macs on its list.
> When you said this:
> Note though that there is nothing preventing your script from
inserting a > rule into the chain ethN_mac where ethN is the internal
interface used for > internet access.
Do you mean instead of using the maclist, should I just insert rules for
these mac addresses to allow them to access the net?
From: Tom Eastep [mailto:teastep at shorewall.net]
Sent: Sunday, February 22, 2004 11:03 AM
To: David Shepherd; shorewall-newbies at lists.shorewall.net
Subject: Re: [Shorewall-newbies] A few shorewall questions
On Sunday 22 February 2004 01:23 am, David Shepherd wrote:
> I'm a student network administrator for the condo complex I live in.
> have 2 main questions about shorewall:
> 1.) Can the rules/policy config be updated without having to
> restarting shorewall? How would I go about doing this? Or is this
> something that I shouldn't worry about? I just get easy complaints
> the students that live here (being the internet is used 24-7 in a
> college complex) if the system goes down for even a minute. I would
> like to prevent this.
There is no way to do that -- but see FAQ #34
> 2.) I want to setup an intranet web server on the linux box that
> shorewall is running on so the residents can register themselves with
> me. I actually was hoping there was a way to have a web script to run
> on this site that will automatically enter the mac address (that they
> specify in one of the fields as their systems mac address on the
> website) into the mac list so they can only access the internet after
> they register with me. This is a way that I can know who is who when
> running the sniffer so if I need to knock them off for abuse, I know
> it is so I can notify them first. I will have a third NIC card that
> connected to the internal network that will only allow connection to
> this web server where they can register. Then the other two NICs are
> used for the internet access. Is this even possible for a web script
> add their mac address to the mac list of shorewall? And will
> restrict the people that are not on this mac list from the internet?
> Would doing a "shorewall refresh" update the mac list instead of
> to restart shorewall completely ever time a user is added? We only
> about 400 nodes but I don't want to have to reboot the system when we
> get new macs added. About half the condos are rented out and we have
> turnovers every semester with about 100-200 new or different MAC
> addresses. I will manually remove the old macs, I just want to know
> it's possible to add macs to a mac list for an access control. Only
> macs on this list are let through, kind of an opposite of blacklist.
What you are asking is possible but again, the maclist is only rebuilt
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-newbies