In /etc/shorewall/rules, to accept say ftp from the net to a server in the dmz:
ACCEPT net dmz tcp 21
But, say you want only a specific host to have ftp access, say your buddy, who has some mac like 02:00:08:E3:FA:58 (for example) then your rule is:
ACCEPT net:~02:00:08:E3:FA:55 dmz tcp 21
(without using mac's you use IP's like so:)
ACCEPT net:12.32.43.56 dmz tcp 21
Or for a specified-by-mac dmz server,
ACCEPT net:~02:00:08:E3:FA:55 dmz:~05:22:08:G3:FB:45 tcp 21
Etc. Thus, you have unspoofable (I am pretty sure, any one correct me?) firewalling.
See http://shorewall.net/configuration_file_basics.htm
Regards,
Alex Martin http://www.rettc.com
Ryan M. Waters wrote:
What might work even better would be to match on MAC layer address. This doesn't protect you from somone spoofing one of your friends MAC addresses ... if you're concerned about that, I'd recommend making all connections go through a VPN, where you can authenticate the user prior to them being able to make any connections.
I don't use Shorewall at this time, so I can't provide any info off the top of my head for that.
For iptables, you could you could match on source ip, or do a '--match mac' for their MAC layer address.
For something more robust, I'd recommend ipsec (but don't do the blind 'leaf-node tunnel', in this case).
Ryan
Joey Officer wrote:
I am setting up a wireless card under Bering and I wanted to provide limited
access to it. But because I know that eventually the WEP will be cracked
and someone will get an IP address from the DHCPd server, I want to know if
I can redirect all traffic from (example) 192.168.2.0 except 192.168.2.205
to goatse.cx
Basically, I'm setting up a gateway for a friend or two, who I'll assign IP
addresses to via MAC address. Anyone else I want to be able to only get to
a single point. Has anyone done anything like this?
Joey
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
