extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Bring MAC validation article up to date

Browse Source
This commit is contained in:
Tom Eastep 2009-06-04 15:48:49 -07:00
parent 7621859e0f
commit 2288ea4d72
1 changed files with 17 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
docs/MAC_Validation.xml
View File

@ -155,57 +155,15 @@
<section id="maclist"> <section id="maclist">
<title>/etc/shorewall/maclist</title> <title>/etc/shorewall/maclist</title>
<para>The columns in /etc/shorewall/maclist are:</para> <para>See <ulink
url="manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5).</para>
<variablelist>
<varlistentry>
<term>DISPOSITION</term>
<listitem>
<para>Must be ACCEPT, DROP or REJECT (REJECT may not be specified if
<emphasis role="bold">MACLIST_TABLE</emphasis>=mangle). May be
optionally followed by ":" and a log level to cause packets matching
the rule to be logged.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>INTERFACE</term>
<listitem>
<para>The name of an Ethernet interface on the Shorewall
system.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>MAC</term>
<listitem>
<para>The MAC address of a device on the Ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in
this column although you may use that format if you so choose. You
may specify "-" here if you enter an IP address in the next
column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IP Address</term>
<listitem>
<para>An optional comma-separated list of IP addresses for the
device whose MAC is listed in the MAC column.</para>
</listitem>
</varlistentry>
</variablelist>
</section> </section>
<section id="Examples"> <section id="Examples">
<title>Examples</title> <title>Examples</title>
<example id="Example1"> <example id="Example1">
<title>Here are my files</title> <title>My MAC Validation configuration at a point in the past</title>
<para>/etc/shorewall/shorewall.conf:</para> <para>/etc/shorewall/shorewall.conf:</para>
@ -224,20 +182,21 @@ Wifi $WIFI_IF - maclist,dhcp
<para>/etc/shorewall/maclist:</para> <para>/etc/shorewall/maclist:</para>
<programlisting>#INTERFACE MAC IP ADDRESSES (Optional) <programlisting>#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
$WIFI_IF 00:04:5e:3f:85:b9 #WAP11 ACCEPT $WIFI_IF 00:04:5e:3f:85:b9 #WAP11
$WIFI_IF 00:06:25:95:33:3c #WET11 ACCEPT $WIFI_IF 00:06:25:95:33:3c #WET11
$WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER ACCEPT $WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER
$WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para>As shown above, I use MAC Verification on my wireless zone.</para> <para>As shown above, I used MAC Verification on my wireless zone that
was served by a Linksys WET11 wireless bridge.</para>
<para><note> <para><note>
<para>While marketed as a wireless bridge, the WET11 behaves like a <para>While marketed as a wireless bridge, the WET11 behaves like a
wireless router with DHCP relay. When forwarding DHCP traffic, it wireless router with DHCP relay. When forwarding DHCP traffic, it
uses the MAC address of the host (TIPPER) but for other forwarded uses the MAC address of the host (TIPPER) but for other forwarded
traffic it uses its own MAC address. Consequently, I list the IP traffic it uses its own MAC address. Consequently, I listd the IP
addresses of both devices in /etc/shorewall/maclist.</para> addresses of both devices in /etc/shorewall/maclist.</para>
</note></para> </note></para>
</example> </example>
@ -245,15 +204,15 @@ $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
<example id="Example2"> <example id="Example2">
<title>Router in Wireless Zone</title> <title>Router in Wireless Zone</title>
<para>Suppose now that I add a second wireless segment to my wireless <para>Suppose now that I had added a second wireless segment to my
zone and gateway that segment via a router with MAC address wireless zone and gateway that segment via a router with MAC address
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second 00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
segment have IP addresses in the subnet 192.168.4.0/24. I would add the segment have IP addresses in the subnet 192.168.4.0/24. I would have
following entry to my /etc/shorewall/maclist file:</para> added the following entry to my /etc/shorewall/maclist file:</para>
<programlisting> $WIFI_IF 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24</programlisting> <programlisting>ACCEPT $WIFI_IF 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24</programlisting>
<para>This entry accommodates traffic from the router itself <para>This entry would accommodate traffic from the router itself
(192.168.3.253) and from the second wireless segment (192.168.4.0/24). (192.168.3.253) and from the second wireless segment (192.168.4.0/24).
Remember that all traffic being sent to my firewall from the Remember that all traffic being sent to my firewall from the
192.168.4.0/24 segment will be forwarded by the router so that traffic's 192.168.4.0/24 segment will be forwarded by the router so that traffic's