No subject

Thu Oct 17 10:17:56 BST 2013


mac [not] <address>


mac matches the source MAC address of packets comming into the firewall.
The mac parameter does nothing for outgoing traffic.
For interfaces, the mac parameter matches against all traffic that comes
into the firewall, whether it is server or client traffic.
For routers, the mac parameter matches also against all traffic comming
into the firewall, but firehol considers the router input differently
based on the command given. For server or route statements, the mac
parameter matches the MAC address of the client (the host sending the
request), while for client statements it matches the source MAC address o=
the server (the host accepting requests).

In principle, the mac parameter behaves the same for both interfaces and
routers and this is why: The mac parameter matches the source MAC address
of what FireHOL considers the "remote" host, not the one that FireHOL
considers the "protected" one. For interfaces, this is simple, because
always the "remote" host is a remote host and the "protected" host is the
one running the firewall. For routers though, the command chosen (client
or server) defines what the firewall protects. Therefore, a client
statement protects the client making the "remote" host the server, while =
server statement protects the server and therefore the "remote" host is
the client.

More than one MAC addresses can be given if separated by spaces and
enclosed in quotes as a single argument to the mac parameter.

The not argument will reverse the match. In case there are many MAC
addresses defined, positive expressions are ORed (either address should b=
matched), while negative expressions are ANDed (none of the addresses
should be matched).


The mac parameter can be used everywhere: interfaces, routers, servers,
clients, etc.

It is possible therefore to do:

interface eth0 mylan mac "MAC1 MAC2 MAC3"
   server x accept


router x inface eth0 outface eth1 mac "MAC1 MAC2 MAC3"
   server x accept

but also

interface eth0 mylan
   server x accept mac "MAC1 MAC2 MAC3"


router x inface eth0 outface eth1
   server x accept mac "MAC1 MAC2 MAC3"

Please report success or failure.


> Is it possible to instead of having a set/range of ip address are givin=
> access to the internet throught the firewall that you do it by mac
> address of the client nic?
> I wasn't looking forward to doing a double entry at the beginning of
> firehol.conf
> mac <ip address> <Mac Address>
> mac <ip address2> <Mac Address>
> and then have the
> accepted_ips=3D{ip address, ip address2, etc etc}
> Much easier if it was
> accepted_clients=3D{Mac Address1, Mac Address2, etc etc}
> ???
> Any help would be appreciated.
> James

More information about the Firehol-support mailing list