Brian J. Murrell wrote: > On Wed, 2007-05-09 at 12:50 -0700, Tom Eastep wrote: >> Note that you can accomplish the same goal without ipsets (much less >> efficiently) by inserting rules in the front of the nat table 'loc_dnat' >> chain: >> >> iptables -t nat -I loc_dnat -m mac --mac-source <MAC> -j RETURN >> >> You would probably want to maintain a database of allowed MACs so these >> rules could be restored in your /etc/shorewall/start script. > > I sometimes do this sort of thing when I want to add a new rule. Rather > than add it to rules and regenerate the whole firewall ruleset and > install it (remotely through shorewall-lite) I add it to rules and then > just do the "iptables -I <chain> <rule>" that I know shorewall will end > up doing the long way anyway. > > Sometimes this is just to test a rule's effectiveness before going the > long route or sometimes it's just an ad-hoc rule. > > But I have wondered while doing such a thing if there was room in > shorewall to do this automagically. Probably not. Just a thought. > > But shorewall having a facility to do more like what OP was wanting > would be interesting. A single shorewall command that would add a > single rule and also update a database so that a subsequent reload (or > even restore) would restore that state.
Ipsets already do that for most useful cases. Why would I want to spend my time building the same thing? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
