Tom Eastep wrote: > Pieter Donche wrote: >> We have a DHCP server running on a central server behind our Shorewall >> firewall (shorewall-perl-4.0.6). We have some 200 hosts all on the >> same subnet and all behind that firewall. >> We use >> 1. (mostly) fixed IP addresses assigned to Mac addresses so that every >> registrered machine always gets the same IP address if he sets his PC >> to 'automatically obtain an IP address' (DHCP) >> 2. a number of PCs where the TCP/IP addresses are set manually in the PC >> (not using DHCP) and recorded as known of/allowed. >> 3. a small pool of dynamically leased addresses specified in our DHCP server >> (for visitors). >> >> But sometimes some user does not set his PC to 'automatically obtain >> an IP address' (DHCP) but puts in an IP address manually in his TCP/IP >> configuration ... and if that IP address was already registrered >> for someone else's MACaddress, the DHCP server will not hand out that >> IP when it finds that IP address is in use, leaving the rightfull >> 'owner' of that IP address without network connection ... >> >> How can we make this impossible? >> >> I took a look at www.shorewall.net/MAC_Validation.html >> but have questions: >> >> - /etc/shorewall/maclist: has no column 'DISPOSITION' in Example 1, >> does this mean, the MACLIST_DISPOSITION=REJECT from shorewall.conf is >> applied to all lines (as if all lines contained a first Column 'REJECT') > > I've removed the last two sections of that article to avoid confusion. > The shorewall-maclist (5) manpage is much clearer anyway.
I've now re-added an updated example that will hopefully be clearer. Each entry in the maclist file is an ACCEPT entry. So matching entries are accepted and all others are REJECTed. Hope that helps, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
