We have a DHCP server running on a central server behind our Shorewall
firewall (shorewall-perl-4.0.6). We have some 200 hosts all on the
same subnet and all behind that firewall.
We use
1. (mostly) fixed IP addresses assigned to Mac addresses so that every
registrered machine always gets the same IP address if he sets his PC
to 'automatically obtain an IP address' (DHCP)
2. a number of PCs where the TCP/IP addresses are set manually in the PC
(not using DHCP) and recorded as known of/allowed.
3. a small pool of dynamically leased addresses specified in our DHCP server
(for visitors).
But sometimes some user does not set his PC to 'automatically obtain
an IP address' (DHCP) but puts in an IP address manually in his TCP/IP
configuration ... and if that IP address was already registrered
for someone else's MACaddress, the DHCP server will not hand out that
IP when it finds that IP address is in use, leaving the rightfull
'owner' of that IP address without network connection ...
How can we make this impossible?
I took a look at www.shorewall.net/MAC_Validation.html
but have questions:
- /etc/shorewall/maclist: has no column 'DISPOSITION' in Example 1,
does this mean, the MACLIST_DISPOSITION=REJECT from shorewall.conf is
applied to all lines (as if all lines contained a first Column 'REJECT')
- The MAC-addresses/IP-addresses combinations registrered in our
DHCP server (1.) and the ones manually set (2.) must all be in
/etc/shorewall/maclist ?
- What about the dynamically leases addresses: here the MAC address
can vary, only the pool of IP adresses is fixed.
If I understand well, putting in the MAC column a dash (-) and a
commad-delimited set of IP-addresses in the IPADRESSES column, this
would be sufficient?
- what's that remark about "Your kernel must include MAC match support
(CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o)." How can I find out
if this is included on a SUSE 10.2 or SUSE 10.3 ?
- How to find out if "If your kernel and iptables have iprange match
support then IP address ranges are also allowed" for SUSE 10.2 and
SUSE 10.3 ?
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
