On 10/9/19 12:26 AM, Vieri Di Paola wrote: > Hi, > > I'd like to accept traffic only from on eof the FW's MAC addresses to > another zone. > > I tried this: > > ACCEPT $FW:~00-E3-C0-5F-81-5D > soc,s100 all > > but got this: > > ERROR: A MAC address(~00-E3-C0-5F-81-5D) cannot be used in this context > > Replacing $FW with 'all' yields the same error. > > Using any other zone does not produce this error message. > > Is it possible to allow traffic ONLY from a specific MAC address > coming from any zone? > > I'm asking because I'm using TEE to duplicate traffic and send it to > an IDS. It's duplicating traffic from, say, zones "lan13" and "lan12" > to zone "s100". The TEE module modifies the headers of the duplicated > ethernet packets by setting the IDS's destination MAC address. So all > packets have the FW's source MAC address and the IDS's destination MAC > addr., even though the src and dst IP addresses are those of other > hosts.
That is the way that it works. TEE creates a copy of the packet then routes it to the specified gateway. The ethernet frame header thus specifies the L2 addresses of the source and destination hosts on that ethernet segment. > > This other rule seems to work: > > ACCEPT lan12,lan13:~00-E3-C0-5F-81-5D > soc,s100 all MAC addresses may only be used in the SOURCE column -- a careful reading of shorewall-rules(5) should make that clear. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
