On Wed, 2007-05-09 at 12:50 -0700, Tom Eastep wrote: > > Note that you can accomplish the same goal without ipsets (much less > efficiently) by inserting rules in the front of the nat table 'loc_dnat' > chain: > > iptables -t nat -I loc_dnat -m mac --mac-source <MAC> -j RETURN > > You would probably want to maintain a database of allowed MACs so these > rules could be restored in your /etc/shorewall/start script.
I sometimes do this sort of thing when I want to add a new rule. Rather than add it to rules and regenerate the whole firewall ruleset and install it (remotely through shorewall-lite) I add it to rules and then just do the "iptables -I <chain> <rule>" that I know shorewall will end up doing the long way anyway. Sometimes this is just to test a rule's effectiveness before going the long route or sometimes it's just an ad-hoc rule. But I have wondered while doing such a thing if there was room in shorewall to do this automagically. Probably not. Just a thought. But shorewall having a facility to do more like what OP was wanting would be interesting. A single shorewall command that would add a single rule and also update a database so that a subsequent reload (or even restore) would restore that state. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
