On Sat, Feb 5, 2011 at 10:39 AM, E.S. Rosenberg <firstname.lastname@example.org>
First of all thanks for the great product/project!
I have had a small problem for a whil now.
I built a firewall with fwb that also does NAT for a bunch of hosts that are have MAC matching turned on.
the NAT part of the rules that get generated the MAC of all the IP
addresses is set to the MAC of the last host in the object group.
To fix it I manually change the generated script.
It is unclear how does the rule look like. If this seems to be a bug, please open bug report on SourceForge and attach a small .fwb file that illustrates the problem.
Note that iptables can match only source MAC address in the packet and only in some chains. This means not all NAT rules can actually match MAC addresses. However I think if you were to run into one of the unsupported configurations, either fwbuilder or iptables would give you an error.
Also at home I
created some match uid/gid policies by hand with iptables, is there a
way to do that in fwbuilder? I saw that I could create an object that
was a user, but the rule it generated didn't look like it was enforcing
uid (though I only had time to test it very superficially), I didn't see
a way to create an object that's a group (gid/group name).
rules using object UserServiece translate into iptables commands using module "owner". It looks something like this:
$IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT
We currently do not have an object to match group but you can use CustomService object to do it.