Brian J. Murrell wrote:
> On Wed, 2007-05-09 at 12:50 -0700, Tom Eastep wrote:
>> Note that you can accomplish the same goal without ipsets (much less
>> efficiently) by inserting rules in the front of the nat table 'loc_dnat' 
>> chain:
>>
>>      iptables -t nat -I loc_dnat -m mac --mac-source <MAC> -j RETURN
>>
>> You would probably want to maintain a database of allowed MACs so these
>> rules could be restored in your /etc/shorewall/start script.
> 
> I sometimes do this sort of thing when I want to add a new rule.  Rather
> than add it to rules and regenerate the whole firewall ruleset and
> install it (remotely through shorewall-lite) I add it to rules and then
> just do the "iptables -I <chain> <rule>" that I know shorewall will end
> up doing the long way anyway.
> 
> Sometimes this is just to test a rule's effectiveness before going the
> long route or sometimes it's just an ad-hoc rule.
> 
> But I have wondered while doing such a thing if there was room in
> shorewall to do this automagically.  Probably not.  Just a thought.
> 
> But shorewall having a facility to do more like what OP was wanting
> would be interesting.  A single shorewall command that would add a
> single rule and also update a database so that a subsequent reload (or
> even restore) would restore that state.

Ipsets already do that for most useful cases. Why would I want to spend my
time building the same thing?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to