From: Tom E. <te...@sh...> - 2005-09-29 14:04:25
|
Paulo Cunha wrote: > > and all packages just get rejected by the eth2_mac chain Ok -- Look at one of these messages; what MAC address is reported in the message? > i added the mac addresses of the bridge's eth0 and eth1 to the eth2 > maclist and it works ! weird it works, but everybody can access the > internet, including clients that dont have macs listed ... Something isn't adding up here. > > here is what i think: > > 1 the package comes throuth eth2 going to eth0. > 2 the firewall sees it is going to internet and do an snat on lt to > mascarade my internal net and changes its source address and > consequently its mac. > 3 the package passes throuth the forward chain that checks its mac > address to see if it comes from a valid mac from eth2 and bang ! the mac > is not the original mac anymore, it's now my local mac. > That analysis is wrong -- SNAT occurs in the POSTROUTING chain which is traversed AFTER the FORWARD chain. Please submit a real problem report as described at http://www.shorewall.net/support.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |