On Wed, 2007-05-09 at 12:50 -0700, Tom Eastep wrote:
> 
> Note that you can accomplish the same goal without ipsets (much less
> efficiently) by inserting rules in the front of the nat table 'loc_dnat' 
> chain:
> 
>       iptables -t nat -I loc_dnat -m mac --mac-source <MAC> -j RETURN
> 
> You would probably want to maintain a database of allowed MACs so these
> rules could be restored in your /etc/shorewall/start script.

I sometimes do this sort of thing when I want to add a new rule.  Rather
than add it to rules and regenerate the whole firewall ruleset and
install it (remotely through shorewall-lite) I add it to rules and then
just do the "iptables -I <chain> <rule>" that I know shorewall will end
up doing the long way anyway.

Sometimes this is just to test a rule's effectiveness before going the
long route or sometimes it's just an ad-hoc rule.

But I have wondered while doing such a thing if there was room in
shorewall to do this automagically.  Probably not.  Just a thought.

But shorewall having a facility to do more like what OP was wanting
would be interesting.  A single shorewall command that would add a
single rule and also update a database so that a subsequent reload (or
even restore) would restore that state.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell

Attachment: signature.asc
Description: This is a digitally signed message part

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to