Pieter Donche wrote: > Tom Eastep wrote: >> >> Depends on how you set it up. If you set MACLIST_DISPOSITION=ACCEPT then >> you might only add entries in /etc/shorewall/maclist for those that are >> manually set -- specify both MAC and IP ADDRESS. > > But if I would use MACLIST_DISPOSITION=ACCEPT and only record entries for > those that are manually set (2.), wouldn't this leave the possibility open > that a user manually sets in his PC an IPaddress which is already > reserved in our DHCP server (case 1.) for someone elses PC, causing the > trouble that the DHCP server will not hand out that IP to the rightfull > 'owner' when that IP is in use ... (as I mentionned in my initial mail) > > So I believe that my only option is to specify all the DHCP-fixed > assigned MAC/IP addresses in maclist. > > Or do I misunderstand ? (then what am i missing here?)
As far as I'm concerned, your fixed assignments from your DHCP server are 'manually set'. Question of terminology. > >> >> > - What about the dynamically leases addresses: here the MAC address >> > can vary, only the pool of IP adresses is fixed. >> > If I understand well, putting in the MAC column a dash (-) and a >> > commad-delimited set of IP-addresses in the IPADRESSES column, this >> > would be sufficient? >> >> Or only the MAC addresses. > > But I want to avoid that a visitor for only a few days, would need to ask > me to record his Mac address. So I believe that my only option then is > to use a dash in Mac column and a comma-delimited set of IPaddresses in the > IPADDRESSES column. > > Is that right? No. In fact, you can set MACLIST_DISPOSITION=REJECT Hopefully, you have segregated the three types of assignment into separate IP address ranges. Let's call them R1, R2, and R3 for Fixed-DHCP-assigned, Manually-set and Dynamically-DHCP-assigned. Your maclist file then has three groups of records: #R1 - DHCP-assigned addresses ACCEPT dhcp-mac-1 dhcp-assigned-addr-1 ACCEPT dhcp-mac-2 dhcp-assigned-addr-2 ... REJECT - R1 R2 - Manual assignments ACCEPT manual-mac-1 manual-addr-1 ACCEPT manual-mac-2 manual-addr-2 ... REJECT - R2 R3 - Visitors ACCEPT - R3 Note that every new connection entering from the 'maclist' interface will have to march through this list. If the list is long, you might be better off to create 3 Actions. A0, A1, A2 A0: A1 R1 A2 R2 ACCEPT R3 REJECT - A1: ACCEPT dhcp-mac-1 dhcp-assigned-addr-1 ACCEPT dhcp-mac-2 dhcp-assigned-addr-2 A2: ACCEPT dhcp-mac-1 dhcp-assigned-addr-1 ACCEPT dhcp-mac-2 dhcp-assigned-addr-2 At the top of the NEW section in your rules file: A0 z:ethX ALL Where z is the zone associated with ethX. Note that in this approach, all MAC addresses must be expressed in Shorewall format. This approach avoids matching R2 traffic against all R1 rules and avoids matching R3 traffic against all R1 and R2 rules. If the lists are long though, it still means that the average new connection will need to traverse 1/2 of the rules associated with the SOURCE IP's range. As Simon has pointed out, all of this doesn't stop users from doing something dastardly and disrupting your operation; they just won't get any useful work done at the same time. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
