Hi,
I'd like to accept traffic only from on eof the FW's MAC addresses to
another zone.
I tried this:
ACCEPT $FW:~00-E3-C0-5F-81-5D
soc,s100 all
but got this:
ERROR: A MAC address(~00-E3-C0-5F-81-5D) cannot be used in this context
Replacing $FW with 'all' yields the same error.
Using any other zone does not produce this error message.
Is it possible to allow traffic ONLY from a specific MAC address
coming from any zone?
I'm asking because I'm using TEE to duplicate traffic and send it to
an IDS. It's duplicating traffic from, say, zones "lan13" and "lan12"
to zone "s100". The TEE module modifies the headers of the duplicated
ethernet packets by setting the IDS's destination MAC address. So all
packets have the FW's source MAC address and the IDS's destination MAC
addr., even though the src and dst IP addresses are those of other
hosts.
This other rule seems to work:
ACCEPT lan12,lan13:~00-E3-C0-5F-81-5D
soc,s100 all
However, this rule seems to be irrelevant/useless when specifying this
in "mangle":
IPTABLES(TEE --gateway $IPS_SOC_PROBE):P ${IF_LAN}.13 -
IPTABLES(TEE --gateway $IPS_SOC_PROBE):P ${IF_LAN}.12 -
By the way, the performance issues I reported in a previous thread
seems to have something to do with IRQs because I get relatively high
CPU usage values for ksoftirqd. eg.:
root 20 0 0 0 0 S 41.4 0.0 0:56.50 ksoftirqd/0
root 20 0 0 0 0 S 16.9 0.0 1:42.80 ksoftirqd/7
root 20 0 0 0 0 R 10.9 0.0 0:39.93 ksoftirqd/5
root 20 0 0 0 0 S 18.5 0.0 0:58.69 ksoftirqd/0
root 20 0 0 0 0 S 16.2 0.0 0:31.31 ksoftirqd/1
root 20 0 0 0 0 S 15.9 0.0 0:47.83 ksoftirqd/2
etc.
Does anyone have any ideas as to what I could try? Would changing the
NIC do any difference, or is it a motherboard limitation?
Thanks,
Vieri
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
