On Wed, 2011-10-05 at 16:34 -0700, Tom Eastep wrote: > > Each "zone2zone" chain (e.g., net2fw) that has blacklist rules > > has > > a companion blacklisting chain with the same name but prefaced by > > "~". For example, 'net2fw' blacklist rules appear in the chain > > ~net2fw. > > > > > Actually, the '~' follows the name. > > > The 'maclist' interface option can also generate rules that are > > traversed prior to those in the BLACKLIST section. If you want > > them > > to come after the the blacklist rules, simply recode your maclist > > rules in the NEW section of the rules file. > > > > > This isn't a very satisfactory solution. I'll work on it some more.
Although maybe it is okay, given that we now have macipmap ipsets. Those are ideal for MAC/IP validation. Anyone have an opinion one way of the other? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
