> > We have a DHCP server running on a central server behind our Shorewall
> > firewall (shorewall-perl-4.0.6). We have some 200 hosts all on the
> > same subnet and all behind that firewall.
> > We use
> > 1. (mostly) fixed IP addresses assigned to Mac addresses so that every
> > registrered machine always gets the same IP address if he sets his PC
> > to 'automatically obtain an IP address' (DHCP)
> > 2. a number of PCs where the TCP/IP addresses are set manually in the PC
> > (not using DHCP) and recorded as known of/allowed.
> > 3. a small pool of dynamically leased addresses specified in our DHCP server
> > (for visitors).
> >
> > But sometimes some user does not set his PC to 'automatically obtain
> > an IP address' (DHCP) but puts in an IP address manually in his TCP/IP
> > configuration ... and if that IP address was already registrered
> > for someone else's MACaddress, the DHCP server will not hand out that
> > IP when it finds that IP address is in use, leaving the rightfull
> > 'owner' of that IP address without network connection ...
> >
> > How can we make this impossible?
> >
> > I took a look at www.shorewall.net/MAC_Validation.html
> > but have questions:
> >
> > - The MAC-addresses/IP-addresses combinations registrered in our
> > DHCP server (1.) and the ones manually set (2.) must all be in
> > /etc/shorewall/maclist ?
>
> Depends on how you set it up. If you set MACLIST_DISPOSITION=ACCEPT then
> you might only add entries in /etc/shorewall/maclist for those that are
> manually set -- specify both MAC and IP ADDRESS.
But if I would use MACLIST_DISPOSITION=ACCEPT and only record entries for
those that are manually set (2.), wouldn't this leave the possibility open
that a user manually sets in his PC an IPaddress which is already
reserved in our DHCP server (case 1.) for someone elses PC, causing the
trouble that the DHCP server will not hand out that IP to the rightfull
'owner' when that IP is in use ... (as I mentionned in my initial mail)
So I believe that my only option is to specify all the DHCP-fixed
assigned MAC/IP addresses in maclist.
Or do I misunderstand ? (then what am i missing here?)
>
> > - What about the dynamically leases addresses: here the MAC address
> > can vary, only the pool of IP adresses is fixed.
> > If I understand well, putting in the MAC column a dash (-) and a
> > commad-delimited set of IP-addresses in the IPADRESSES column, this
> > would be sufficient?
>
> Or only the MAC addresses.
But I want to avoid that a visitor for only a few days, would need to ask
me to record his Mac address. So I believe that my only option then is
to use a dash in Mac column and a comma-delimited set of IPaddresses in the
IPADDRESSES column.
Is that right?
>
> > - what's that remark about "Your kernel must include MAC match support
> > (CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o)." How can I find out
> > if this is included on a SUSE 10.2 or SUSE 10.3 ?
> > - How to find out if "If your kernel and iptables have iprange match
> > support then IP address ranges are also allowed" for SUSE 10.2 and
> > SUSE 10.3 ?
> See Shorewall FAQ 42.
# shorewall show capabilities
reports the following (see below):
So I have iprange match support, no ipset support,
but what about 'MAC match support'? Do I have it or not?
- I don't see something in the 'Available' or 'Not Available' lines,
or does it correspond to 'Physdev match' or what ?
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Physdev-is-bridged Support: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
NFQUEUE Target: Available
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
