Content moved to MAC_Validation.xml

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@876 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-15 04:04:10 +01:00 · 2003-12-17 17:12:03 +00:00 · 2003-12-17 17:12:03 +00:00 · 938e875e48
commit 938e875e48
parent a7820dc8da
1 changed files with 0 additions and 104 deletions
--- a/Shorewall-docs/MAC_Validation.html
+++ b/Shorewall-docs/MAC_Validation.html
@ -1,104 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html>
-<head>
-  <title>MAC Verification</title>
-  <meta http-equiv="content-type"
- content="text/html; charset=ISO-8859-1">
-  <meta name="author" content="Tom Eastep">
-</head>
-<body>
-<br>
-<h1 style="text-align: center;">MAC Verification<br>
-</h1>
-All traffic from an interface or from a subnet on an interface can be
-verified to originate from a defined set of MAC addresses. Furthermore,
-each MAC address may be optionally associated with one or more IP
-addresses. <br>
-<br>
-<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
-module name ipt_mac.o).</b><br>
-<br>
-There are four components to this facility.<br>
-<ol>
-  <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
-When
-this option is specified, all traffic arriving on the interface is
-subjet
-to MAC verification.</li>
-  <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
-When this option is specified for a subnet, all traffic from that
-subnet is subject to
-MAC verification.</li>
-  <li>The /etc/shorewall/maclist file. This file is used to associate
-MAC addresses with interfaces and to optionally associate IP addresses
-with MAC addresses.</li>
-  <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
-in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
-The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
-and determines the disposition of connection requests that fail MAC
-verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at
-which connection requests that fail verification are to be logged. If
-set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
-connection requests are not logged.<br>
-  </li>
-</ol>
-The columns in /etc/shorewall/maclist are:<br>
-<ul>
-  <li>INTERFACE - The name of an ethernet interface on the Shorewall
-system.</li>
-  <li>MAC - The MAC address of a device on the ethernet segment
-connected by INTERFACE. It is not necessary to use the Shorewall MAC
-format in this column although you may use that format if you so choose.</li>
-  <li>IP Address - An optional comma-separated list of IP addresses for
-the device whose MAC is listed in the MAC column.</li>
-</ul>
-<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a>
-for details about my setup):</h3>
-<b>/etc/shorewall/shorewall.conf:<br>
-</b>
-<pre>     MACLIST_DISPOSITION=REJECT<br>     MACLIST_LOG_LEVEL=info<br></pre>
-<b>/etc/shorewall/interfaces:</b><br>
-<blockquote>
-  <pre>#ZONE   INTERFACE        BROADCAST       OPTIONS<br>net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc     eth2            192.168.1.255   dhcp<br>dmz     eth1            192.168.2.255<br>WiFi    eth3            192.168.3.255   dhcp,maclist<br>-       texas           192.168.9.255</pre>
-</blockquote>
-<b>/etc/shorewall/maclist:</b><br>
-<blockquote>
-  <pre>#INTERFACE              MAC                     IP ADDRESSES (Optional)<br>eth3                    00:A0:CC:A2:0C:A0       192.168.3.7                 #Work Laptop<br>eth3                    00:04:5a:fe:85:b9       192.168.3.250               #WAP11<br>eth3                    00:06:25:56:33:3c       192.168.3.225,192.168.3.8   #WET11<br>eth3                    00:0b:cd:C4:cc:97       192.168.3.8                 #TIPPER</pre>
-</blockquote>
-As shown above, I use MAC Verification on my wireless zone.<br>
-<br>
-<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves
-like a wireless router with DHCP relay. When forwarding DHCP traffic,
-it uses the
-MAC address of the host (TIPPER) but for other forwarded traffic it
-uses it's
-own MAC address. Consequently, I list the IP addresses of both devices
-in
-/etc/shorewall/maclist.<br>
-<h3>Example 2: Router in Wireless Zone</h3>
-Suppose now that I add a second wireless segment to my wireless zone
-and gateway that segment via a router with MAC address
-00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
-segment have IP addresses in the subnet 192.168.4.0/24. I would add the
-following entry to my /etc/shorewall/maclist file:<br>
-<pre>     eth3                     00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24<br></pre>
-This entry accomodates traffic from the router itself (192.168.3.253)
-and from the second wireless segment (192.168.4.0/24). Remember that
-all traffic being sent to my firewall from the 192.168.4.0/24 segment
-will be forwarded by the router so that traffic's MAC address will be
-that of the router (00:06:43:45:C6:15) and not that of the host sending
-the traffic.
-<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
-</font></p>
-<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
- size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-</p>
-<br>
-<br>
-<br>
-<br>
-<br>
-<br>
-</body>
-</html>