Bo Yang wrote: > > I'd like to request that the mac match not be allowed in the FORWARD chain > > as it does not function the way that some may think. > > > > The tests I've performed indicate that the match will match the MAC address > > of the transmitting interface (not what one would expect if attempting to > > allow based on the mac address of the sender and blocking all other > packets) > > > > I'd like to hear comments about this. If it is not fesable to do this, I'd > > recommend adding text to the man page so that others do not fall into the > > same problem I did. > > > > I have already worked around this problem in my setup. > MAC address is some concept in the link layer , so how do > you get the packet sender mac if the packet is routed to your > box through some other routers ? I understand. However, the machine I was using for this was directly connected to both system. There were no other routers. Take this for instance: Box A -> (eth1)firewall/router(eth0) -> Box B firewall/router does not trust eth1 and uses MAC addresses to allow access, so it does this: -I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC -I FORWARD -j DROP -i eth1 firewall/router knows the mac of both box a and b (obviously, box a doesn't know box b's mac and vice versa). Consider the above the only rules in the firewall and box A and B have no rules at all. Box A pings Box B and fails. The reason is the mac test above is seeing the MAC of eth0, not of Box A. This is what I'm referring to and I had to add a MARK rule in PREROUTING to mark packets that I want to allow and then allow in the forward chain based upon the mark. -- Lab tests show that use of micro$oft causes cancer in lab animals Got Gas???
