From 2288ea4d72f7979d1ec89bdfb0d46af5d661ea48 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 4 Jun 2009 15:48:49 -0700 Subject: [PATCH] Bring MAC validation article up to date --- docs/MAC_Validation.xml | 75 ++++++++++------------------------------- 1 file changed, 17 insertions(+), 58 deletions(-) diff --git a/docs/MAC_Validation.xml b/docs/MAC_Validation.xml index 3c09151bd..5888c42c7 100644 --- a/docs/MAC_Validation.xml +++ b/docs/MAC_Validation.xml @@ -155,57 +155,15 @@
/etc/shorewall/maclist - The columns in /etc/shorewall/maclist are: - - - - DISPOSITION - - - Must be ACCEPT, DROP or REJECT (REJECT may not be specified if - MACLIST_TABLE=mangle). May be - optionally followed by ":" and a log level to cause packets matching - the rule to be logged. - - - - - INTERFACE - - - The name of an Ethernet interface on the Shorewall - system. - - - - - MAC - - - The MAC address of a device on the Ethernet segment connected - by INTERFACE. It is not necessary to use the Shorewall MAC format in - this column although you may use that format if you so choose. You - may specify "-" here if you enter an IP address in the next - column. - - - - - IP Address - - - An optional comma-separated list of IP addresses for the - device whose MAC is listed in the MAC column. - - - + See shorewall-maclist(5).
Examples - Here are my files + My MAC Validation configuration at a point in the past /etc/shorewall/shorewall.conf: @@ -224,20 +182,21 @@ Wifi $WIFI_IF - maclist,dhcp /etc/shorewall/maclist: - #INTERFACE MAC IP ADDRESSES (Optional) -$WIFI_IF 00:04:5e:3f:85:b9 #WAP11 -$WIFI_IF 00:06:25:95:33:3c #WET11 -$WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER -$WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop + #DISPOSITION INTERFACE MAC IP ADDRESSES (Optional) +ACCEPT $WIFI_IF 00:04:5e:3f:85:b9 #WAP11 +ACCEPT $WIFI_IF 00:06:25:95:33:3c #WET11 +ACCEPT $WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER +ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - As shown above, I use MAC Verification on my wireless zone. + As shown above, I used MAC Verification on my wireless zone that + was served by a Linksys WET11 wireless bridge. While marketed as a wireless bridge, the WET11 behaves like a wireless router with DHCP relay. When forwarding DHCP traffic, it uses the MAC address of the host (TIPPER) but for other forwarded - traffic it uses its own MAC address. Consequently, I list the IP + traffic it uses its own MAC address. Consequently, I listd the IP addresses of both devices in /etc/shorewall/maclist. @@ -245,15 +204,15 @@ $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop Router in Wireless Zone - Suppose now that I add a second wireless segment to my wireless - zone and gateway that segment via a router with MAC address + Suppose now that I had added a second wireless segment to my + wireless zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second - segment have IP addresses in the subnet 192.168.4.0/24. I would add the - following entry to my /etc/shorewall/maclist file: + segment have IP addresses in the subnet 192.168.4.0/24. I would have + added the following entry to my /etc/shorewall/maclist file: - $WIFI_IF 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24 + ACCEPT $WIFI_IF 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24 - This entry accommodates traffic from the router itself + This entry would accommodate traffic from the router itself (192.168.3.253) and from the second wireless segment (192.168.4.0/24). Remember that all traffic being sent to my firewall from the 192.168.4.0/24 segment will be forwarded by the router so that traffic's