<?xml version="1.0" encoding="UTF-8"?> <refentry> <refmeta> <refentrytitle>shorewall-maclist</refentrytitle> <manvolnum>5</manvolnum> </refmeta> <refnamediv> <refname>maclist</refname> <refpurpose>Shorewall MAC Verification file</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>/etc/shorewall/maclist</command> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> <para>This file is used to define the MAC addresses and optionally their associated IP addresses to be allowed to use the specified interface. The feature is enabled by using the <emphasis role="bold">maclist</emphasis> option in the <ulink url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration file.</para> <para>The columns in the file are as follows.</para> <variablelist> <varlistentry> <term><emphasis role="bold">DISPOSITION</emphasis> - {<emphasis role="bold">ACCEPT</emphasis>|<emphasis role="bold">DROP</emphasis>|<emphasis role="bold">REJECT</emphasis>}[<option>:</option><replaceable>log-level</replaceable>]</term> <listitem> <para><emphasis role="bold">ACCEPT</emphasis> or <emphasis role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is also allowed). If specified, the <replaceable>log-level</replaceable> causes packets matching the rule to be logged at that level.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">INTERFACE</emphasis> - <emphasis>interface</emphasis></term> <listitem> <para>Network <emphasis>interface</emphasis> to a host.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">MAC</emphasis> - <emphasis>address</emphasis></term> <listitem> <para>MAC <emphasis>address</emphasis> of the host -- you do not need to use the Shorewall format for MAC addresses here. If <emphasis role="bold">IP ADDRESSESES</emphasis> is supplied then <emphasis role="bold">MAC</emphasis> can be supplied as a dash (<emphasis role="bold">-</emphasis>)</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">IP ADDRESSES</emphasis> (Optional) - [<emphasis>address</emphasis>[<emphasis role="bold">,</emphasis><emphasis>address</emphasis>]...]</term> <listitem> <para>If specified, both the MAC and IP address must match. This column can contain a comma-separated list of host and/or subnet addresses. If your kernel and iptables have iprange match support then IP address ranges are also allowed. Similarly, if your kernel and iptables include ipset support than set names (prefixed by "+") are also allowed.</para> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1> <title>FILES</title> <para>/etc/shorewall/maclist</para> </refsect1> <refsect1> <title>See ALSO</title> <para><ulink url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para> <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> </refsect1> </refentry>