* Paul Gear: > Florian Weimer wrote: >> ... >> It seems that shorewall generates an ACL that ACCEPTs all traffic once >> a MAC rule matches. Further rules are not considered. The >> explanations in version 2.2.3 seem to indicate that this was the >> intended behavior, but its implications surprised upstream, and a >> corrected version was released. > > That's not an accurate summary of the Shorewall team's stance. It is a > simple bug. When someone uses MAC filtering in their firewall rules, it > was always intended that a system which passed the MAC filter still be > subject to the other rules (IP & port filters).
# When a new connection arrives from a 'maclist' interface, the packet passes # through then list of entries for that interface in /etc/shorewall/maclist. If # there is a match then the source IP address is added to the 'Recent' set for # that interface. Subsequent connection attempts from that IP address occuring # within $MACLIST_TTL seconds will be accepted without having to scan all of # the entries. [...] Highly ambiguous at best. 8-( The behavior of the MAC filter is not documented at all. Anyway, this subthread won't lead us to a DSA. Tomorrow, I'm going to set up shorewall in my lab and reproduce the bug. Hopefully that's more productive (in some weird sense, of course). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
