Graham, There has been a long standing typo in Arno's Firewall comment for the mac-address-filter plugin. In the next AIF version fixes it and it now reads: -- # Specify interfaces that the MAC Addresses Filter is applied (eg. INT_IF) # ------------------------------------------------------------------------------ MAC_ADDRESS_IF="$INT_IF" -- ie, it apples to ALL traffic, so if you defined...
MAC_ADDRESS_IF="eth2" MAC_ADDRESS_FILE="/mnt/kd/allow-mac-addresses" and created "/mnt/kd/allow-mac-addresses" as a list of allowed MAC addresses for eth2, ie: -- 00:11:22:33:44:55 00:11:22:33:44:56 00:11:22:33:44:57 -- Give it a try (I have not played with that plugin). Keep in mind that there will be periodic maintenance to such a filter. Lonnie On Nov 11, 2010, at 3:03 AM, Graham S. Jarvis wrote: > Hello All, > > As if you haven't been hearing enough from me recently - here another "nearly > newbie" question: > > I want to stop people on one of my interfaces (you guessed it - eth2/lan2) > from > connecting to the Ethernet outside of office hours. > I don't know if it would be better to block by IP or MAC - Most users are > using > DHCP so I could block the whole dhcp-range. But at least one user knows what > they are doing and could reset their PC with a fixed IP. I would notice if > this > happens but in order to block them again I would be chasing them through the > network and at some point they are going to pick an IP that conflicts with > something important. With the MAC I know which PC/User it is and "basta" they > are blocked. > > I thought one way to do this is set up the mac-address-filter firewall plugin > and then have a cron job to switch the mac-address file and restart the > firewall. > > So my questions are: > > 1. What does this mean: > # Specify here the port(s) you want to SSH checks to apply to > # > ------------------------------------------------------------------------------ > MAC_ADDRESS_IF="$INT_IF" > > "... you want to SSH checks to apply to" ??? > Why SSH? > Does this plugin _only_ stop SSH? > > If so, why should anyone only want to stop SSH by mac address? > And, if it is only dropping port 22 traffic it should be possible to "hack" > the > script so that this plugin checks/blocks all ports. > Could someone [Lonnie again? :-)] tell me where this plugin script file is > located please. > > Thanks in advance, > > -Graham- > > > > ------------------------------------------------------------------------------ > Centralized Desktop Delivery: Dell and VMware Reference Architecture > Simplifying enterprise desktop deployment and management using > Dell EqualLogic storage and VMware View: A highly scalable, end-to-end > client virtualization framework. Read more! > http://p.sf.net/sfu/dell-eql-dev2dev > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
