Brian J. Murrell wrote:
So here's my use case... I have a (shorewall) gateway but in general, users are not allowed to use it. They must use configured proxies and internal servers which are themselves allowed to use the gateway. The simple solution to this scenario is to simply use the maclist and only list the approved proxies.This screws up OSPF though. Even though the majority of hosts can't use the gateway, in general, they do need to exchange OSPF packets with it to complete their routing configuration. The simple workaround was to: # iptables -I br-lan_mac -p 89 -j RETURN Indeed, I could stop using maclist and put specific rules into the rules file to do the same thing, but the maclist is nice. :-) Thots?
Use the rules file -- you might find it more convenient to define an action that accepts traffic from the approved MACs and then apply that action to the protocols that the hosts are allowed to use.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
