[Firehol-support] MAC address filtering example needed
Brian Snipes
Brian at hwnn.com
Thu Jun 2 17:02:27 BST 2005
Hmmm, if I have a /etc/firehol/coders file with the following content:
* begin snip
00:01:02:35:aa:80 00:01:02:35:ac:80 00:01:02:c8:4c:cc 00:0a:e6:28:42:bf 00:0a:e6:28:4a:8e 00:0a:e6:28:58:e2 00:0a:e6:33:55:95 00:0a:e6:41:d1:b4 00:0a:e6:28:46:fe
* end snip
And in my firehol.conf, I have:
*- begin snip
coders="`cat /etc/firehol/coders`"
router lan2i inface ${int_if} outface ${ext_nat_if} mac not "${coders}"
*- end snip
I get the following error:
-------------------------------------------------------------------------------
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error 2).
SOURCE : line 267 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A out_lan2i -m mac --mac-source any -j RETURN
OUTPUT :
*- end error
This happens whether I put the mac addresses on one line or one per line.
I am running firehol-1.226 on Gentoo. Is this a small bug or just a mistake I have made?
Brian
>>> "Costa Tsaousis" <costa at tsaousis.gr> 6/2/2005 10:24 AM >>>
Hi,
coders="00:01:02:35:aa:80 00:01:02:35:ac:80 ..."
# or
# coders="`cat /path/to/file/with/one/mac/per/line`"
router lan2i inface ${lan_if} outface ${ext_nat_if} mac not "${coders}"
route bberry accept
route cups accept
...
Now these mac addresses will not even enter the lan2i router.
Regards,
Costa
On Wed, June 1, 2005 5:15, Brian Snipes said:
> Greets,
> Can someone give me an example of using the 'mac' parameter to block all
> traffic in a router section. I have multiple workstations that have to be
> blocked from having any outbound access. Here is what I have tried but it
> doesn't seem to block access:
> ---------------------------
> coders="00:01:02:35:aa:80 \
> 00:01:02:35:ac:80 \
> 00:01:02:c8:4c:cc \
> 00:0a:e6:28:42:bf \
> 00:0a:e6:28:4a:8e \
> 00:0a:e6:28:58:e2 \
> 00:0a:e6:33:55:95 \
> 00:0a:e6:41:d1:b4 \
> 00:0a:e6:28:46:fe \
> 00:0c:29:6b:a6:70"
> ...
> router lan2i inface lan outface ${ext_nat_if}
> route all reject mac ${coders}
> route bberry accept
> route cups accept
> route dict accept
> route ftp accept
> route http accept
> route https accept
> route icmp accept
> route imap accept
> route imaps accept
> route irc accept
> route jabber accept
> route ldap accept
> route ldaps accept
> route msn accept
> route nntp accept
> route nntps accept
> route ntp accept
> route ping accept
> route pop3 accept
> route pop3s accept
> route rdp accept
> client ssh accept src x.x.x.x/32
> -----------------------------
>
> Any ideas?
>
> Brian
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Yahoo.
> Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
> Search APIs Find out how you can build Yahoo! directly into your own
> Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>
-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Firehol-support mailing list
Firehol-support at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support
More information about the Firehol-support
mailing list