On 1/2/13 4:43 PM, Mr Dash Four wrote: > >> Something like this? >> >> http://www1.shorewall.net/manpages/shorewall-arprules.html >> > Indeed. I take it this isn't "mainstream" yet (judging by the first > like of that man page), as this is the first time I am seeing it.
Yes -- this is all vaporware.
> Assuming that is so, I am also not sure that all ACTIONs included in
> that man page are supported - at least for my distro (Fedora) - this
> would need thorough checking. There was a specific command, the name
> of which escapes me at the moment, which could be used to show the
> available built-in arptables targets for a particular distro (like
> DROP, ACCEPT etc). That is worth using to build a potential list of
> capabilities for the various distros out there.
>
> You also need to be aware that you have 2 source and 2 destination
> pairs: SOURCE (as in IP address/mask), as well as HW SOURCE (as in
> MAC address), DESTINATION, as well as HW DESTINATION (or, as is
> referred in arptables, TARGET/HW TARGET). There are also other
> options, which can be specified in the arptables statement as well
> (for *very* specific fine-grade tuning), though I don't use these:
>
> --arhln -a [!] length[/mask] Hardware address length --arpop
> -p [!] operation[/mask] ARP operation --arhrd -h [!] hrd[/mask]
> ARP hardware address --arpro -w [!] plen[/mask] ARP protocol
> address format
>
> Another possible pitfall you need to be aware of is the chain names -
> Fedora, in their infinite wisdom, decided to "do a Micro$oft" and
> changed the names the core chains to be IN, OUT and FORWARD, instead
> of keeping with all other distros out there (Debian, Ubintu etc), so
> if you plan to introduce this feature in shorewall, you need to be
> aware of those differences.
I checked out arptables on Fedora. The package is arptables_jf; the
synopsis says that:
Arptables_jf is a fork of arptables from
ebtables.sourceforge.net written by Jay Fenlason.
So apparently, Jay decided that the etables team has been neglecting his
baby and has decided to take it back. In view of this development, I'm
not going to do anything right now. AFAICT, Jay's arptables is still a
subset of ebtables and I think that the best long-term strategy for
Shorewall is to support ebtables. That isn't a small project and will
require several months to bring to fruition.
>
> On a separate note, something of a heads-up for you Tom: I've just
> found quite a few "nasties" in shorewall (tested on shorewall .10+,
> though I am not finished yet), some of them not very pleasant to say
> the least, but will have more time to finish my testing to be sure -
> will be in a position to post them no earlier than this weekend (too
> busy at the moment).
I'll await your report.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
