> 2) Support for arptables has been added to Shorewall and Shorewall
> Lite.
>
> - Both classic arptables and arptables_jf (fork maintained by Jay
> Fenlason) are supported.
>
> - There is now an ARPTABLES option in the shorewall.conf file to
> specify the path to the arptables binary.
>
> - An arprules file has been added to allow specification of
> arptables rules. See shorewall-arprules (5) for details.
>
> - A 'show arptables' command has been added to show the active
> arptables rules.
>
> - arptables rules are saved and restored by the save and restore
> commands if the new option SAVE_ARPTABLES is set to Yes in
> shorewall.conf.
>
> - arptables rules are displayed in the 'dump' command.
>
> As part of this change, a new capability ('Arptables JF') has been
> added. If you use a capabilities file, you should regenerate it
> after installing this version.
>
A couple of things you may or may not be aware of:
1. The default policy for the core chains does not function properly (at
least when the policy is DROP anyway), particularly if you have
sub-chains. What I had to do in such instance is insert a "-j <policy>"
statement at the end of each chain/sub-chain to fix this.
2. You probably need to manipulate the arp cache when the firewall is
(re-)started since there may be changes in the rules set. This, as you
probably know, is done with "ip n ..." command, so it would be easy to
deal with.
3. You may wish to create additional file (something like the existing
maclist) to manipulate the arp cache entries: the arp cache entries
could be temporary as well as permanent - this adds, among other things,
extra security layer as well as preventing excessive arp traffic.
4. The loopback interface, when included in any arp rules, does not work
properly.
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
