On 10/11/19 7:47 AM, Tom Eastep wrote: > On 10/11/19 1:51 AM, Vieri Di Paola wrote: >> On Thu, Oct 10, 2019 at 6:37 PM Tom Eastep <teas...@shorewall.net> wrote: >> >>>> This other rule seems to work: >>>> >>>> ACCEPT lan12,lan13:~00-E3-C0-5F-81-5D >>>> soc,s100 all >>> >>> MAC addresses may only be used in the SOURCE column -- a careful reading >>> of shorewall-rules(5) should make that clear. >> >> In my previous examples, I've always used the MAC addresses only in >> the SOURCE column. >> >> One of my examples was: >> ACCEPT $FW:~00-E3-C0-5F-81-5D soc,s100 all >> >> The MAC addr. is in the SOURCE column. >> However, I'm getting this error from "shorewall check": >> >> ERROR: A MAC address(~00-E3-C0-5F-81-5D) cannot be used in this context >> >> Replacing $FW with 'all' yields the same error (in the SOURCE column). >> >> Using any other zone does not produce this error message. >> > > You can't use it in the OUTPUT chain either -- the source MAC address > isn't assigned until the packet is about to be put on the wire. >
See iptables-extensions(8) and look for the 'mac' match. Rules generated when the source is $FW are processed out of the OUTPUT chain. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
