On 09/16/2015 01:06 AM, Davide Marini wrote: > Hi Tom, > what I am try to tell is: > > if I'm using maclist option for binding ip and mac address with > MACLIST_DISPOSITION=DROP (or reject) every packet towards the firewall > is blocked. > I can use the dhcop option on the interfaces file to make the dhcp > working but if I have other services I have to use an extension script. > > Let me show an example: > * ip/mac binding enabled with policy drop > * MACLIST_TABLE : not defined (I'm NOT USING the MANGLE, the rules are > written in the filter section) > * I have a service on the firewall running on port 9999, every client > (also non matching ip/mac ones) should use it. > * i have dhcp option enable on my loc interface (just for further > clarification) > > If I create a rule on the shorewall/rules like that on the "NEW" section > > > ACCEPT loc $FW tcp 9999 > > > from shorewall show: > > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 583 53910 loc2fw all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 policy match dir in pol none > 130 76212 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0 > . > . > . > Chain loc2fw (1 references) > pkts bytes target prot opt in out source destination > 94 14460 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED > 94 14460 smurfs all -- * * 0.0.0.0/0 > 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED policy match dir in > pol none > 12 4296 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:67:68 > 477 38075 tcpflags tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 policy match dir in pol none > 82 10164 eth0_mac all -- * * 0.0.0.0/0 > 0.0.0.0/0 ctstate NEW,UNTRACKED policy match dir in pol none > 489 39450 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 ctstate RELATED,ESTABLISHED > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:9999 > > > on my loc2fw I have the chain eth0_mac before my ACCEPT rule for the > port 9999, the eth0_mac chain is the one from maclist where is the block > for ip and mac non related. > In that way every packet towards the firewall coming from a not valid > ip/mac couple will be blocked. > At the opposite the dhcp rule (to allow use of the dhcp ) is correctly > placed before the eth0_mac and every device can make correctly dhcp > requests. > > I hope now everything is more clear. > I just need to know if there some smater way to solve my problem without > using extension script (like the "start" one).
If you have added the 'dhcp' option to eth0 and are still seeing dhcp blocked, please forward the output of 'shorewall dump' as an attachment. You can send it to me privately if you like. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
