Pieter Donche wrote:
> We have a DHCP server running on a central server behind our Shorewall
> firewall (shorewall-perl-4.0.6). We have some 200 hosts all on the
> same subnet and all behind that firewall. 
> We use 
> 1. (mostly) fixed IP addresses assigned to Mac addresses so that every
>    registrered machine always gets the same IP address if he sets his PC
>    to 'automatically obtain an IP address' (DHCP)
> 2. a number of PCs where the TCP/IP addresses are set manually in the PC
>    (not using DHCP) and recorded as known of/allowed.
> 3. a small pool of dynamically leased addresses specified in our DHCP server
>    (for visitors).
> 
> But sometimes some user does not set his PC to 'automatically obtain
> an IP address' (DHCP) but puts in an IP address manually in his TCP/IP
> configuration ... and if that IP address was already registrered
> for someone else's MACaddress, the DHCP server will not hand out that 
> IP when it finds that IP address is in use, leaving the rightfull 
> 'owner' of that IP address without network connection ...
> 
> How can we make this impossible?
> 
> I took a look at www.shorewall.net/MAC_Validation.html 
> but have questions:
> 
> - /etc/shorewall/maclist: has no column 'DISPOSITION' in Example 1,
> does this mean, the MACLIST_DISPOSITION=REJECT from shorewall.conf is
> applied to all lines (as if all lines contained a first Column 'REJECT')

I've removed the last two sections of that article to avoid confusion.
The shorewall-maclist (5) manpage is much clearer anyway.
> 
> - The MAC-addresses/IP-addresses combinations registrered in our
>    DHCP server (1.) and the ones manually set (2.) must all be in
>   /etc/shorewall/maclist ?

Depends on how you set it up. If you set MACLIST_DISPOSITION=ACCEPT then
you might only add entries in /etc/shorewall/maclist for those that are
manually set -- specify both MAC and IP ADDRESS.

> - What about the dynamically leases addresses: here the MAC address
>    can vary, only the pool of IP adresses is fixed.
>    If I understand well, putting in the MAC column a dash (-) and a
>    commad-delimited set of IP-addresses in the IPADRESSES column, this
>    would be sufficient?

Or only the MAC addresses.

> 
> - what's that remark about "Your kernel must include MAC match support
>    (CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o)." How can I find out
>    if this is included on a SUSE 10.2 or SUSE 10.3 ?
> 
> - How to find out if "If your kernel and iptables have iprange match
>     support then IP address ranges are also allowed" for SUSE 10.2 and
>    SUSE 10.3 ?

See Shorewall FAQ 42.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to