From: Tom E. <te...@sh...> - 2005-02-09 18:12:58
|
Benjamin Lerman wrote: >>Netfilter 'mac' match is only capable of matching on the source MAC >>address. Hence, only incoming packets may be matched. You can cause all >>incoming packets on 'maclist' interfaces to be checked by removing "-m >>state --state NEW" from line 2079 (version 2.2.0). > > > Thank you very much, it works perfectly. The goal of Shorewall MAC filtration is to prevent unknown systems from attaching to a LAN segment then connecting to services at or through the firewall. The current implementation meets that goal at a fraction of the cost of the code that you are now running. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |