diff --git a/docs/MAC_Validation.xml b/docs/MAC_Validation.xml
index 3c09151bd..5888c42c7 100644
--- a/docs/MAC_Validation.xml
+++ b/docs/MAC_Validation.xml
@@ -155,57 +155,15 @@
/etc/shorewall/maclist
- The columns in /etc/shorewall/maclist are:
-
-
-
- DISPOSITION
-
-
- Must be ACCEPT, DROP or REJECT (REJECT may not be specified if
- MACLIST_TABLE=mangle). May be
- optionally followed by ":" and a log level to cause packets matching
- the rule to be logged.
-
-
-
-
- INTERFACE
-
-
- The name of an Ethernet interface on the Shorewall
- system.
-
-
-
-
- MAC
-
-
- The MAC address of a device on the Ethernet segment connected
- by INTERFACE. It is not necessary to use the Shorewall MAC format in
- this column although you may use that format if you so choose. You
- may specify "-" here if you enter an IP address in the next
- column.
-
-
-
-
- IP Address
-
-
- An optional comma-separated list of IP addresses for the
- device whose MAC is listed in the MAC column.
-
-
-
+ See shorewall-maclist(5).
Examples
- Here are my files
+ My MAC Validation configuration at a point in the past
/etc/shorewall/shorewall.conf:
@@ -224,20 +182,21 @@ Wifi $WIFI_IF - maclist,dhcp
/etc/shorewall/maclist:
- #INTERFACE MAC IP ADDRESSES (Optional)
-$WIFI_IF 00:04:5e:3f:85:b9 #WAP11
-$WIFI_IF 00:06:25:95:33:3c #WET11
-$WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER
-$WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
+ #DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
+ACCEPT $WIFI_IF 00:04:5e:3f:85:b9 #WAP11
+ACCEPT $WIFI_IF 00:06:25:95:33:3c #WET11
+ACCEPT $WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER
+ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
- As shown above, I use MAC Verification on my wireless zone.
+ As shown above, I used MAC Verification on my wireless zone that
+ was served by a Linksys WET11 wireless bridge.
While marketed as a wireless bridge, the WET11 behaves like a
wireless router with DHCP relay. When forwarding DHCP traffic, it
uses the MAC address of the host (TIPPER) but for other forwarded
- traffic it uses its own MAC address. Consequently, I list the IP
+ traffic it uses its own MAC address. Consequently, I listd the IP
addresses of both devices in /etc/shorewall/maclist.
@@ -245,15 +204,15 @@ $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
Router in Wireless Zone
- Suppose now that I add a second wireless segment to my wireless
- zone and gateway that segment via a router with MAC address
+ Suppose now that I had added a second wireless segment to my
+ wireless zone and gateway that segment via a router with MAC address
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
- segment have IP addresses in the subnet 192.168.4.0/24. I would add the
- following entry to my /etc/shorewall/maclist file:
+ segment have IP addresses in the subnet 192.168.4.0/24. I would have
+ added the following entry to my /etc/shorewall/maclist file:
- $WIFI_IF 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24
+ ACCEPT $WIFI_IF 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24
- This entry accommodates traffic from the router itself
+ This entry would accommodate traffic from the router itself
(192.168.3.253) and from the second wireless segment (192.168.4.0/24).
Remember that all traffic being sent to my firewall from the
192.168.4.0/24 segment will be forwarded by the router so that traffic's