On Thu, 2006-12-10 at 07:41 -0700, Tom Eastep wrote: > > The 'Drop' chain is generated by the Drop action which gets called because it > is > the default action for DROP policies > (http://www.shorewall.net/Actions.html#id2500209).
Indeed. > In other words, it gets > called just before a DROP policy is enforced. Right. > So waiting until then to do MAC > filtration wouldn't work because traffic from banned MAC addresses might have > already been allowed by ACCEPT, DNAT, or REDIRECT rules. Agreed. INPUT->eth0_in->eth0_mac > I'll consider this an enhancement request to allow log filtration of messages > generated by maclist and try to get something into 3.3. How about jumping to the Drop table right before the LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:eth0_mac:REJECT:' rule in the eth0_mac table (of course eth0 is just one interface. The same would be done for all interfaces with maclist on them)? Hrm. But that would not cause a RETURN back from Drop to eth0_mac for anything that did not match the Drop table so that it could be logged by eth0_mac, yes? Or would it? It seems there are lots of "LOG" rules right after a Drop target. Actually I just did: # iptables -I eth0_mac 7 -j Drop and it seems to have the desired effect. Too bad the 7 is dependent on how many macs are in maclist for that interface and you can't reference line numbers relative from the end (afaik) or I would just add the above to the start file (until 3.3 provides a solution). I guess I could grep maclist and count to derive the line number in eth0_mac. Thoughts? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
