Florian Weimer wrote: > ... > It seems that shorewall generates an ACL that ACCEPTs all traffic once > a MAC rule matches. Further rules are not considered. The > explanations in version 2.2.3 seem to indicate that this was the > intended behavior, but its implications surprised upstream, and a > corrected version was released.
That's not an accurate summary of the Shorewall team's stance. It is a simple bug. When someone uses MAC filtering in their firewall rules, it was always intended that a system which passed the MAC filter still be subject to the other rules (IP & port filters). It was not merely surprising behaviour, it was incorrect behaviour. If it was just a documentation issue, Tom would have released corrected documentation rather than a corrected script. -- Paul <http://paulgear.webhop.net> -- Did you know? Using HTML email (or "Rich Text" email) rather than plain text is less efficient, and makes you more vulnerable to security flaws in your computer software. Learn more about securing your computer at <http://www.kb.cert.org/vuls/id/713878>.
signature.asc
Description: OpenPGP digital signature
