Hi all, my name is Davide Marini, I'm using shorewall for a while, but this is the first time I'm writing on this ML. This is my scenario: I'm using the MACLIST option, so I properly edited the necessary files (maclist, interfaces etc.) in order to make it work... and it's working flawlessy, the policy is DROP for packets with no ip/mac binding.
Now, on the same machine where Shorewall is running, I also have a dhcp server for my LAN with dhcp reservations (reservations are exactly the same ip/mac listed in the maclist file) . The devices have no fixed ip, they receive an ip from the dhcp and the ones with the reservation can make traffic, the others are blocked. This is important because it avoid me to configure any single device with fixed ip, I can make everything from remote, just need to know the mac address. The problem now is that the maclist option in shorewall create the block rule at the top of the INPUT chain and this is blocking all dhcp requests from clients to my dhcp server (running on the same server machine), so even the clients in the maclist can't receive an IP address and they can't make any traffic. I tried to put some rule in the /etc/shorewall/rules file, but I can't put anything prior the maclist rule (maybe there is one way I don't know). At the moment I'm using a work around: I edited the /etc/shorewall/start script file putting the right iptables rules to allow clients to talk with the dhcp server (input accept udp ports 67 and 68). It is working... but I would prefer to use a more "standard" way to make it work... do you have any advice? thank you Davide ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
