DocBook XML conversion

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@875 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-16 03:10:39 +01:00 · 2003-12-17 17:11:02 +00:00 · 2003-12-17 17:11:02 +00:00 · a7820dc8da
commit a7820dc8da
parent fb09a449bf
1 changed files with 179 additions and 0 deletions
--- a/Shorewall-docs/MAC_Validation.xml
+++ b/Shorewall-docs/MAC_Validation.xml
@ -0,0 +1,179 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<article id="MAC_Validation">
+  <articleinfo>
+    <title>MAC Verification</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate>2002-06-30</pubdate>
+
+    <copyright>
+      <year>2001</year>
+
+      <year>2002</year>
+
+      <year>2003</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled &#34;<ulink
+      url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <para>All traffic from an interface or from a subnet on an interface can be
+  verified to originate from a defined set of MAC addresses. Furthermore, each
+  MAC address may be optionally associated with one or more IP addresses.</para>
+
+  <important>
+    <para><emphasis role="bold">Your kernel must include MAC match support
+    (CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o).</emphasis></para>
+  </important>
+
+  <section>
+    <title>Components</title>
+
+    <para>There are four components to this facility.</para>
+
+    <orderedlist>
+      <listitem>
+        <para>The <emphasis role="bold">maclist</emphasis> interface option in
+        <ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
+        When this option is specified, all traffic arriving on the interface
+        is subjet to MAC verification.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">maclist</emphasis> option in <ulink
+        url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink>. When this
+        option is specified for a subnet, all traffic from that subnet is
+        subject to MAC verification.</para>
+      </listitem>
+
+      <listitem>
+        <para>The /etc/shorewall/maclist file. This file is used to associate
+        MAC addresses with interfaces and to optionally associate IP addresses
+        with MAC addresses.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">MACLIST_DISPOSITION</emphasis> and
+        <emphasis role="bold">MACLIST_LOG_LEVEL</emphasis> variables in <ulink
+        url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.
+        The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
+        and determines the disposition of connection requests that fail MAC
+        verification. The MACLIST_LOG_LEVEL variable gives the syslogd level
+        at which connection requests that fail verification are to be logged.
+        If set the the empty value (e.g., MACLIST_LOG_LEVEL=&#34;&#34;) then
+        failing connection requests are not logged.</para>
+      </listitem>
+    </orderedlist>
+  </section>
+
+  <section>
+    <title>/etc/shorewall/maclist</title>
+
+    <para>The columns in /etc/shorewall/maclist are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>INTERFACE</term>
+
+        <listitem>
+          <para>The name of an ethernet interface on the Shorewall system.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>MAC</term>
+
+        <listitem>
+          <para>The MAC address of a device on the ethernet segment connected
+          by INTERFACE. It is not necessary to use the Shorewall MAC format in
+          this column although you may use that format if you so choose.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IP Address</term>
+
+        <listitem>
+          <para>An optional comma-separated list of IP addresses for the
+          device whose MAC is listed in the MAC column.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </section>
+
+  <section>
+    <title>Examples</title>
+
+    <example>
+      <title>Here are my files (look <ulink url="myfiles.htm">here</ulink> for
+      details about my setup)</title>
+
+      <para>/etc/shorewall/shorewall.conf:</para>
+
+      <programlisting>MACLIST_DISPOSITION=REJECT
+MACLIST_LOG_LEVEL=info</programlisting>
+
+      <para>/etc/shorewall/interfaces:</para>
+
+      <programlisting>#ZONE   INTERFACE        BROADCAST       OPTIONS
+net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
+loc     eth2            192.168.1.255   dhcp
+dmz     eth1            192.168.2.255
+WiFi    eth3            192.168.3.255   dhcp,maclist
+-       texas           192.168.9.255</programlisting>
+
+      <para>/etc/shorewall/maclist:</para>
+
+      <programlisting>#INTERFACE              MAC                     IP ADDRESSES (Optional)
+eth3                    00:A0:CC:A2:0C:A0       192.168.3.7                 #Work Laptop
+eth3                    00:04:5a:fe:85:b9       192.168.3.250               #WAP11
+eth3                    00:06:25:56:33:3c       192.168.3.225,192.168.3.8   #WET11
+eth3                    00:0b:cd:C4:cc:97       192.168.3.8                 #TIPPER</programlisting>
+
+      <para>As shown above, I use MAC Verification on my wireless zone.</para>
+
+      <para><note><para>While marketed as a wireless bridge, the WET11 behaves
+      like a wireless router with DHCP relay. When forwarding DHCP traffic, it
+      uses the MAC address of the host (TIPPER) but for other forwarded
+      traffic it uses it&#39;s own MAC address. Consequently, I list the IP
+      addresses of both devices in /etc/shorewall/maclist.</para></note></para>
+    </example>
+
+    <example>
+      <title>Router in Wireless Zone</title>
+
+      <para>Suppose now that I add a second wireless segment to my wireless
+      zone and gateway that segment via a router with MAC address
+      00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
+      segment have IP addresses in the subnet 192.168.4.0/24. I would add the
+      following entry to my /etc/shorewall/maclist file:</para>
+
+      <programlisting>eth3                     00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24</programlisting>
+
+      <para>This entry accomodates traffic from the router itself
+      (192.168.3.253) and from the second wireless segment (192.168.4.0/24).
+      Remember that all traffic being sent to my firewall from the
+      192.168.4.0/24 segment will be forwarded by the router so that
+      traffic&#39;s MAC address will be that of the router (00:06:43:45:C6:15)
+      and not that of the host sending the traffic.</para>
+    </example>
+  </section>
+</article>