[Shorewall-newbies] A few shorewall questions

Tom Eastep teastep at shorewall.net
Sun Feb 22 12:18:37 PST 2004

On Sun, 22 Feb 2004, David Shepherd wrote:

> What is the ethN_mac chain?  What file is that or how do I go about
> doing that?  I'm going to do some searching on your website for it but
> if you could point me in the right direction that would be great.  I am
> very new to this and I appreciate your quick responses.


If you want to pull this off, you are going to have to accept up front
that it will require you to learn something about Netfilter and iptables
and you don't learn that pouring over Shorewall documentation. The
Netfilter site is a much better source of this sort of information.

Shorewall creates a Netfilter chain for each interface that has the
'maclist' option specified -- the name of the chain is "<if name>_mac"
(e.g., eth2_mac for interface eth2) and for each entry in
/etc/shorewall/maclist that refers to that interface, a rule is added to
the chain.

Your script will do something like:

/sbin/iptables -I eth2_mac -m mac --mac-source <the MAC address> -j RETURN

As a side note, you will probably want MACLIST_DISPOSITION=REJECT in your
shorewall.conf file.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list