On 09/14/2015 02:50 AM, Davide Marini wrote: > Hi all, > my name is Davide Marini, I'm using shorewall for a while, but this is > the first time I'm writing on this ML. > This is my scenario: I'm using the MACLIST option, so I properly edited > the necessary files (maclist, interfaces etc.) in order to make it > work... and it's working flawlessy, the policy is DROP for packets with > no ip/mac binding. > > Now, on the same machine where Shorewall is running, I also have a dhcp > server for my LAN with dhcp reservations (reservations are exactly the > same ip/mac listed in the maclist file) . > The devices have no fixed ip, they receive an ip from the dhcp and the > ones with the reservation can make traffic, the others are blocked. > This is important because it avoid me to configure any single device > with fixed ip, I can make everything from remote, just need to know the > mac address. > > The problem now is that the maclist option in shorewall create the block > rule at the top of the INPUT chain and this is blocking all dhcp > requests from clients to my dhcp server (running on the same server > machine), so even the clients in the maclist can't receive an IP address > and they can't make any traffic. > I tried to put some rule in the /etc/shorewall/rules file, but I can't > put anything prior the maclist rule (maybe there is one way I don't know). > > At the moment I'm using a work around: I edited the /etc/shorewall/start > script file putting the right iptables rules to allow clients to talk > with the dhcp server (input accept udp ports 67 and 68). > It is working... but I would prefer to use a more "standard" way to make > it work... do you have any advice? > thank you
Two questions: a) Have you specified the 'dhcp' option on the interface? b) Which Shorewall version are you running? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
