Florian Weimer wrote: > ... > # When a new connection arrives from a 'maclist' interface, the packet passes > # through then list of entries for that interface in /etc/shorewall/maclist. If > # there is a match then the source IP address is added to the 'Recent' set for > # that interface. Subsequent connection attempts from that IP address occuring > # within $MACLIST_TTL seconds will be accepted without having to scan all of > # the entries. [...] > > Highly ambiguous at best. 8-( It makes perfect sense to me... All it's saying is that IP-to-MAC mappings are cached in the 'Recent' set for each interface for $MACLIST_TTL seconds without requiring them to be passed through the MAC filter for every packet. > The behavior of the MAC filter is not documented at all. http://www.shorewall.net/MAC_Validation.html "Not documented at all" is not a phrase i've *ever* heard used about Shorewall. > Anyway, this subthread won't lead us to a DSA. Tomorrow, I'm going to > set up shorewall in my lab and reproduce the bug. Hopefully that's > more productive (in some weird sense, of course). What you do in your lab is up to you, but isn't that a bit of a waste of time when Lorenzo has already done it? He just told me that he sent the results of his testing to the security team in his original request for a DSA. -- Paul <http://paulgear.webhop.net> -- Did you know? If you receive a virus warning from a friend and not through a virus software vendor, it's likely to be a hoax. See <http://gear.dyndns.org:81/features/virus_hoaxes> for more info.
Attachment:
signature.asc
Description: OpenPGP digital signature