Thanks Lonnie,
the conf file is the same as the GUI loads and points to a file that exists and
is readable.
As an "aside" it looks like the allowed mac address file can have comments i.e.
00:11:22:33:44:55 #PC 1
00:11:22:33:44:56 #PC 2
00:11:22:33:44:57 #PC 3
Which is very useful.
I still get
. . . .
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
MAC Address Filter plugin v1.0c
Loaded kernel module ipt_mac.
Using interface(s): eth2
* (Re)loading allowed internal MAC addresses from
/mnt/kd/arno-iptables-firewall/plugins/mac-address-allow: 5 loaded*
Adaptive Ban plugin v1.00 BETA (EXPERIMENTAL!)
Adaptive Ban - Whitelisting INTERNAL net(s): 192.168.7.0/24 192.168.207.0/24
File=/var/log/messages Time=120 Count=6 Types=sshd asterisk
Loaded 2 plugin(s)...
. . .
in the '/etc/init.d/iptables restart' output with or without the comments at the
end of the line after the mac.
(I moved the mac-address-allow file)
And the result is the same - no access to the web i/f on 192.168.7.0 from a PC
on 192.168.207.0
Thanks,
-Graham-
Lonnie Abelbeck wrote on 23/11/2010 22:05:
> Graham,
>
> I never use the mac-address-filter plugin, so I will have to play with it
> myself... I'll have to get back to you later.
>
> Double check your
> "/mnt/kd/arno-iptables-firewall/plugins/mac-address-filter.conf" file to make
> sure it is correct, particularly the variable:
> MAC_ADDRESS_FILE="/mnt/kd/allow-mac-addresses"
>
> Lonnie
>
>
> On Nov 23, 2010, at 1:16 PM, Graham S. Jarvis wrote:
>
>> Hello Lonnie,
>>
>> Can you explain this:
>>
>> When the mac-address-filter plugin is disabled I can connect from a PC on
>> lan2
>> (eth2) to the web interface of snom phones on lan1 (eth1).
>> When the plugin is enabled I can't any more even though I put the mac addr of
>> the PC, eth2 and eth1 (both - just to be sure) into the allow-mac-addresses
>> file.
>> Also SSH access from eth2 to eth1 is blocked. Luckily I can still get http
>> and
>> SSH access to the eth2 address to turn the plugin off again.
>>
>> It's as if running the plugin negates the switch to allow traffic between the
>> two interfaces (where is that switch - I forgot).
>> Could there be a rule order "issue" or am I missing something more obvious?
>>
>> Thanks,
>>
>> -Graham-
>>
>>
>> Lonnie Abelbeck wrote on 11/11/2010 16:45:
>>> Graham,
>>>
>>> There has been a long standing typo in Arno's Firewall comment for the
>>> mac-address-filter plugin. In the next AIF version fixes it and it now
>>> reads:
>>> --
>>> # Specify interfaces that the MAC Addresses Filter is applied (eg. INT_IF)
>>> #
>>> ------------------------------------------------------------------------------
>>> MAC_ADDRESS_IF="$INT_IF"
>>> --
>>> ie, it apples to ALL traffic, so if you defined...
>>>
>>> MAC_ADDRESS_IF="eth2"
>>>
>>> MAC_ADDRESS_FILE="/mnt/kd/allow-mac-addresses"
>>>
>>> and created "/mnt/kd/allow-mac-addresses" as a list of allowed MAC
>>> addresses for eth2, ie:
>>> --
>>> 00:11:22:33:44:55
>>> 00:11:22:33:44:56
>>> 00:11:22:33:44:57
>>> --
>>>
>>> Give it a try (I have not played with that plugin). Keep in mind that
>>> there will be periodic maintenance to such a filter.
>>>
>>> Lonnie
>>>
>>>
>>>
>>> On Nov 11, 2010, at 3:03 AM, Graham S. Jarvis wrote:
>>>
>>>> Hello All,
>>>>
>>>> As if you haven't been hearing enough from me recently - here another
>>>> "nearly
>>>> newbie" question:
>>>>
>>>> I want to stop people on one of my interfaces (you guessed it - eth2/lan2)
>>>> from
>>>> connecting to the Ethernet outside of office hours.
>>>> I don't know if it would be better to block by IP or MAC - Most users are
>>>> using
>>>> DHCP so I could block the whole dhcp-range. But at least one user knows
>>>> what
>>>> they are doing and could reset their PC with a fixed IP. I would notice
>>>> if this
>>>> happens but in order to block them again I would be chasing them through
>>>> the
>>>> network and at some point they are going to pick an IP that conflicts with
>>>> something important. With the MAC I know which PC/User it is and "basta"
>>>> they
>>>> are blocked.
>>>>
>>>> I thought one way to do this is set up the mac-address-filter firewall
>>>> plugin
>>>> and then have a cron job to switch the mac-address file and restart the
>>>> firewall.
>>>>
>>>> So my questions are:
>>>>
>>>> 1. What does this mean:
>>>> # Specify here the port(s) you want to SSH checks to apply to
>>>> #
>>>> ------------------------------------------------------------------------------
>>>> MAC_ADDRESS_IF="$INT_IF"
>>>>
>>>> "... you want to SSH checks to apply to" ???
>>>> Why SSH?
>>>> Does this plugin _only_ stop SSH?
>>>>
>>>> If so, why should anyone only want to stop SSH by mac address?
>>>> And, if it is only dropping port 22 traffic it should be possible to
>>>> "hack" the
>>>> script so that this plugin checks/blocks all ports.
>>>> Could someone [Lonnie again? :-)] tell me where this plugin script file is
>>>> located please.
>>>>
>>>> Thanks in advance,
>>>>
>>>> -Graham-
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Centralized Desktop Delivery: Dell and VMware Reference Architecture
>>>> Simplifying enterprise desktop deployment and management using
>>>> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
>>>> client virtualization framework. Read more!
>>>> http://p.sf.net/sfu/dell-eql-dev2dev
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to
>>>> pay...@krisk.org.
>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Centralized Desktop Delivery: Dell and VMware Reference Architecture
>>> Simplifying enterprise desktop deployment and management using
>>> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
>>> client virtualization framework. Read more!
>>> http://p.sf.net/sfu/dell-eql-dev2dev
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to
>>> pay...@krisk.org.
>>>
>> ------------------------------------------------------------------------------
>> Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
>> Tap into the largest installed PC base & get more eyes on your game by
>> optimizing for Intel(R) Graphics Technology. Get started today with the
>> Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
>> http://p.sf.net/sfu/intelisp-dev2dev
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> pay...@krisk.org.
>>
>>
>
> ------------------------------------------------------------------------------
> Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
> Tap into the largest installed PC base & get more eyes on your game by
> optimizing for Intel(R) Graphics Technology. Get started today with the
> Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
> http://p.sf.net/sfu/intelisp-dev2dev
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
