Pieter Donche wrote: > We have a DHCP server running on a central server behind our Shorewall > firewall (shorewall-perl-4.0.6). We have some 200 hosts all on the > same subnet and all behind that firewall. > We use > 1. (mostly) fixed IP addresses assigned to Mac addresses so that every > registrered machine always gets the same IP address if he sets his PC > to 'automatically obtain an IP address' (DHCP) > 2. a number of PCs where the TCP/IP addresses are set manually in the PC > (not using DHCP) and recorded as known of/allowed. > 3. a small pool of dynamically leased addresses specified in our DHCP server > (for visitors). > > But sometimes some user does not set his PC to 'automatically obtain > an IP address' (DHCP) but puts in an IP address manually in his TCP/IP > configuration ... and if that IP address was already registrered > for someone else's MACaddress, the DHCP server will not hand out that > IP when it finds that IP address is in use, leaving the rightfull > 'owner' of that IP address without network connection ... > > How can we make this impossible? > > I took a look at www.shorewall.net/MAC_Validation.html > but have questions: > > - /etc/shorewall/maclist: has no column 'DISPOSITION' in Example 1, > does this mean, the MACLIST_DISPOSITION=REJECT from shorewall.conf is > applied to all lines (as if all lines contained a first Column 'REJECT')
I've removed the last two sections of that article to avoid confusion. The shorewall-maclist (5) manpage is much clearer anyway. > > - The MAC-addresses/IP-addresses combinations registrered in our > DHCP server (1.) and the ones manually set (2.) must all be in > /etc/shorewall/maclist ? Depends on how you set it up. If you set MACLIST_DISPOSITION=ACCEPT then you might only add entries in /etc/shorewall/maclist for those that are manually set -- specify both MAC and IP ADDRESS. > - What about the dynamically leases addresses: here the MAC address > can vary, only the pool of IP adresses is fixed. > If I understand well, putting in the MAC column a dash (-) and a > commad-delimited set of IP-addresses in the IPADRESSES column, this > would be sufficient? Or only the MAC addresses. > > - what's that remark about "Your kernel must include MAC match support > (CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o)." How can I find out > if this is included on a SUSE 10.2 or SUSE 10.3 ? > > - How to find out if "If your kernel and iptables have iprange match > support then IP address ranges are also allowed" for SUSE 10.2 and > SUSE 10.3 ? See Shorewall FAQ 42. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users