On 10/11/19 1:51 AM, Vieri Di Paola wrote: > On Thu, Oct 10, 2019 at 6:37 PM Tom Eastep <teas...@shorewall.net> wrote: > >>> This other rule seems to work: >>> >>> ACCEPT lan12,lan13:~00-E3-C0-5F-81-5D >>> soc,s100 all >> >> MAC addresses may only be used in the SOURCE column -- a careful reading >> of shorewall-rules(5) should make that clear. > > In my previous examples, I've always used the MAC addresses only in > the SOURCE column. > > One of my examples was: > ACCEPT $FW:~00-E3-C0-5F-81-5D soc,s100 all > > The MAC addr. is in the SOURCE column. > However, I'm getting this error from "shorewall check": > > ERROR: A MAC address(~00-E3-C0-5F-81-5D) cannot be used in this context > > Replacing $FW with 'all' yields the same error (in the SOURCE column). > > Using any other zone does not produce this error message. >
You can't use it in the OUTPUT chain either -- the source MAC address isn't assigned until the packet is about to be put on the wire. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
