Graham, I never use the mac-address-filter plugin, so I will have to play with it myself... I'll have to get back to you later.
Double check your "/mnt/kd/arno-iptables-firewall/plugins/mac-address-filter.conf" file to make sure it is correct, particularly the variable: MAC_ADDRESS_FILE="/mnt/kd/allow-mac-addresses" Lonnie On Nov 23, 2010, at 1:16 PM, Graham S. Jarvis wrote: > Hello Lonnie, > > Can you explain this: > > When the mac-address-filter plugin is disabled I can connect from a PC on lan2 > (eth2) to the web interface of snom phones on lan1 (eth1). > When the plugin is enabled I can't any more even though I put the mac addr of > the PC, eth2 and eth1 (both - just to be sure) into the allow-mac-addresses > file. > Also SSH access from eth2 to eth1 is blocked. Luckily I can still get http > and > SSH access to the eth2 address to turn the plugin off again. > > It's as if running the plugin negates the switch to allow traffic between the > two interfaces (where is that switch - I forgot). > Could there be a rule order "issue" or am I missing something more obvious? > > Thanks, > > -Graham- > > > Lonnie Abelbeck wrote on 11/11/2010 16:45: >> Graham, >> >> There has been a long standing typo in Arno's Firewall comment for the >> mac-address-filter plugin. In the next AIF version fixes it and it now >> reads: >> -- >> # Specify interfaces that the MAC Addresses Filter is applied (eg. INT_IF) >> # >> ------------------------------------------------------------------------------ >> MAC_ADDRESS_IF="$INT_IF" >> -- >> ie, it apples to ALL traffic, so if you defined... >> >> MAC_ADDRESS_IF="eth2" >> >> MAC_ADDRESS_FILE="/mnt/kd/allow-mac-addresses" >> >> and created "/mnt/kd/allow-mac-addresses" as a list of allowed MAC addresses >> for eth2, ie: >> -- >> 00:11:22:33:44:55 >> 00:11:22:33:44:56 >> 00:11:22:33:44:57 >> -- >> >> Give it a try (I have not played with that plugin). Keep in mind that there >> will be periodic maintenance to such a filter. >> >> Lonnie >> >> >> >> On Nov 11, 2010, at 3:03 AM, Graham S. Jarvis wrote: >> >>> Hello All, >>> >>> As if you haven't been hearing enough from me recently - here another >>> "nearly >>> newbie" question: >>> >>> I want to stop people on one of my interfaces (you guessed it - eth2/lan2) >>> from >>> connecting to the Ethernet outside of office hours. >>> I don't know if it would be better to block by IP or MAC - Most users are >>> using >>> DHCP so I could block the whole dhcp-range. But at least one user knows >>> what >>> they are doing and could reset their PC with a fixed IP. I would notice if >>> this >>> happens but in order to block them again I would be chasing them through the >>> network and at some point they are going to pick an IP that conflicts with >>> something important. With the MAC I know which PC/User it is and "basta" >>> they >>> are blocked. >>> >>> I thought one way to do this is set up the mac-address-filter firewall >>> plugin >>> and then have a cron job to switch the mac-address file and restart the >>> firewall. >>> >>> So my questions are: >>> >>> 1. What does this mean: >>> # Specify here the port(s) you want to SSH checks to apply to >>> # >>> ------------------------------------------------------------------------------ >>> MAC_ADDRESS_IF="$INT_IF" >>> >>> "... you want to SSH checks to apply to" ??? >>> Why SSH? >>> Does this plugin _only_ stop SSH? >>> >>> If so, why should anyone only want to stop SSH by mac address? >>> And, if it is only dropping port 22 traffic it should be possible to "hack" >>> the >>> script so that this plugin checks/blocks all ports. >>> Could someone [Lonnie again? :-)] tell me where this plugin script file is >>> located please. >>> >>> Thanks in advance, >>> >>> -Graham- >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Centralized Desktop Delivery: Dell and VMware Reference Architecture >>> Simplifying enterprise desktop deployment and management using >>> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end >>> client virtualization framework. Read more! >>> http://p.sf.net/sfu/dell-eql-dev2dev >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Centralized Desktop Delivery: Dell and VMware Reference Architecture >> Simplifying enterprise desktop deployment and management using >> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end >> client virtualization framework. Read more! >> http://p.sf.net/sfu/dell-eql-dev2dev >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> > > ------------------------------------------------------------------------------ > Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! > Tap into the largest installed PC base & get more eyes on your game by > optimizing for Intel(R) Graphics Technology. Get started today with the > Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. > http://p.sf.net/sfu/intelisp-dev2dev > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
