shorewall_code/manpages6/shorewall6-maclist.xml

117 lines
4.2 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-maclist</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>maclist</refname>
<refpurpose>shorewall6 MAC Verification file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/maclist</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define the MAC addresses and optionally their
associated IPv6 addresses to be allowed to use the specified interface.
The feature is enabled by using the <emphasis
role="bold">maclist</emphasis> option in the <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) or
<ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
configuration file.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">DISPOSITION</emphasis> - {<emphasis
role="bold">ACCEPT</emphasis>|<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>}[<option>:</option><replaceable>log-level</replaceable>]</term>
<listitem>
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5), then REJECT
is also allowed). If specified, the
<replaceable>log-level</replaceable> causes packets matching the
rule to be logged at that level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis></term>
<listitem>
<para>Network <emphasis>interface</emphasis> to a host.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MAC</emphasis> -
<emphasis>address</emphasis></term>
<listitem>
<para>MAC <emphasis>address</emphasis> of the host -- you do not
need to use the shorewall6 format for MAC addresses here. If
<emphasis role="bold">IP ADDRESSESES</emphasis> is supplied then
<emphasis role="bold">MAC</emphasis> can be supplied as a dash
(<emphasis role="bold">-</emphasis>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IP ADDRESSES</emphasis> (Optional) -
[<emphasis>address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address</emphasis>]...]</term>
<listitem>
<para>If specified, both the MAC and IP address must match. This
column can contain a comma-separated list of host and/or subnet
addresses. If your kernel and ip6tables have iprange match support
then IP address ranges are also allowed. Similarly, if your kernel
and ip6tables include ipset support than set names (prefixed by "+")
are also allowed.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/maclist</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
<para><ulink
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>