On Sun, Feb 27, 2011 at 5:59 AM, E.S. Rosenberg <esr+fwbuilder@g.jct.ac.il> wrote:
Hi Vadim,
Sorry it took me a while to answer.
The rule is implementing a transparent proxy for a group of host that are set to MAC matching.
The generated code looks like this:

    $IPTABLES -t nat -A PREROUTING  -p tcp -m tcp  -m mac --mac-source 00:40:ca:xx:xx:xx -s   --dport 80 -j DNAT --to-destination
    $IPTABLES -t nat -A PREROUTING  -p tcp -m tcp  -m mac --mac-source 00:40:ca:xx:xx:xx -s   --dport 80 -j DNAT --to-destination

The MAC addresses are equal to the MAC of the last host in the group/list.

I attached what the rule looks like in fwb.

I am trying to understand the problem. Are you saying generated iptables commands match the same mac address 00:40:ca:xx:xx:xx but different ip addresses and this mac address is taken from one of the hosts that belong to the group  ? 

If so, please open bug report.
I tried creating a small firewall that would have the same situation but my quick attempt failed. Could it be that the fact that this is based on an older version of fwb that has been updated a bunch of times is messing me up?

no, this has nothing to do with upgrades.


Thanks and best regards,
Eli Rosenberg

2011/2/5 Vadim Kurland <vadim@netcitadel.com>

On Sat, Feb 5, 2011 at 10:39 AM, E.S. Rosenberg <esr+fwbuilder@g.jct.ac.il> wrote:
First of all thanks for the great product/project!
I have had a small problem for a whil now.
I built a firewall with fwb that also does NAT for a bunch of hosts that are have MAC matching turned on.
In the NAT part of the rules that get generated the MAC of all the IP addresses is set to the MAC of the last host in the object group.
To fix it I manually change the generated script.

It is unclear how does the rule look like. If this seems to be a bug, please open bug report on SourceForge and attach a small .fwb file that illustrates the problem.

Note that iptables can match only source MAC address in the packet and only in some chains. This means not all NAT rules can actually match MAC addresses. However I think if you were to run into one of the unsupported configurations, either fwbuilder or iptables would give you an error.

Also at home I created some match uid/gid policies by hand with iptables, is there a way to do that in fwbuilder? I saw that I could create an object that was a user, but the rule it generated didn't look like it was enforcing uid (though I only had time to test it very superficially), I didn't see a way to create an object that's a group (gid/group name).

rules using object UserServiece translate into iptables commands using module "owner". It looks something like this:

$IPTABLES -A OUTPUT -m owner --uid-owner 2000  -m state --state NEW  -j ACCEPT

We currently do not have an object to match group but you can use CustomService object to do it.