Hello Lonnie, Can you explain this:
When the mac-address-filter plugin is disabled I can connect from a PC on lan2 (eth2) to the web interface of snom phones on lan1 (eth1). When the plugin is enabled I can't any more even though I put the mac addr of the PC, eth2 and eth1 (both - just to be sure) into the allow-mac-addresses file. Also SSH access from eth2 to eth1 is blocked. Luckily I can still get http and SSH access to the eth2 address to turn the plugin off again. It's as if running the plugin negates the switch to allow traffic between the two interfaces (where is that switch - I forgot). Could there be a rule order "issue" or am I missing something more obvious? Thanks, -Graham- Lonnie Abelbeck wrote on 11/11/2010 16:45: > Graham, > > There has been a long standing typo in Arno's Firewall comment for the > mac-address-filter plugin. In the next AIF version fixes it and it now reads: > -- > # Specify interfaces that the MAC Addresses Filter is applied (eg. INT_IF) > # > ------------------------------------------------------------------------------ > MAC_ADDRESS_IF="$INT_IF" > -- > ie, it apples to ALL traffic, so if you defined... > > MAC_ADDRESS_IF="eth2" > > MAC_ADDRESS_FILE="/mnt/kd/allow-mac-addresses" > > and created "/mnt/kd/allow-mac-addresses" as a list of allowed MAC addresses > for eth2, ie: > -- > 00:11:22:33:44:55 > 00:11:22:33:44:56 > 00:11:22:33:44:57 > -- > > Give it a try (I have not played with that plugin). Keep in mind that there > will be periodic maintenance to such a filter. > > Lonnie > > > > On Nov 11, 2010, at 3:03 AM, Graham S. Jarvis wrote: > >> Hello All, >> >> As if you haven't been hearing enough from me recently - here another "nearly >> newbie" question: >> >> I want to stop people on one of my interfaces (you guessed it - eth2/lan2) >> from >> connecting to the Ethernet outside of office hours. >> I don't know if it would be better to block by IP or MAC - Most users are >> using >> DHCP so I could block the whole dhcp-range. But at least one user knows what >> they are doing and could reset their PC with a fixed IP. I would notice if >> this >> happens but in order to block them again I would be chasing them through the >> network and at some point they are going to pick an IP that conflicts with >> something important. With the MAC I know which PC/User it is and "basta" >> they >> are blocked. >> >> I thought one way to do this is set up the mac-address-filter firewall plugin >> and then have a cron job to switch the mac-address file and restart the >> firewall. >> >> So my questions are: >> >> 1. What does this mean: >> # Specify here the port(s) you want to SSH checks to apply to >> # >> ------------------------------------------------------------------------------ >> MAC_ADDRESS_IF="$INT_IF" >> >> "... you want to SSH checks to apply to" ??? >> Why SSH? >> Does this plugin _only_ stop SSH? >> >> If so, why should anyone only want to stop SSH by mac address? >> And, if it is only dropping port 22 traffic it should be possible to "hack" >> the >> script so that this plugin checks/blocks all ports. >> Could someone [Lonnie again? :-)] tell me where this plugin script file is >> located please. >> >> Thanks in advance, >> >> -Graham- >> >> >> >> ------------------------------------------------------------------------------ >> Centralized Desktop Delivery: Dell and VMware Reference Architecture >> Simplifying enterprise desktop deployment and management using >> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end >> client virtualization framework. Read more! >> http://p.sf.net/sfu/dell-eql-dev2dev >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> > > > ------------------------------------------------------------------------------ > Centralized Desktop Delivery: Dell and VMware Reference Architecture > Simplifying enterprise desktop deployment and management using > Dell EqualLogic storage and VMware View: A highly scalable, end-to-end > client virtualization framework. Read more! > http://p.sf.net/sfu/dell-eql-dev2dev > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
