About the machine managment

Hey Nethservers, thanks for the opportunity, i just got know about the NethServer 7.7 today and i am downloading the ISO to install, I am excited about all the features that i have read already but i do not know because i didnt see about the machine managment, and machine groups, wich allow me to creat a range of network machines and manage them with MAC address restriction just for the security of network access. Thanks I hope it is not a mediocre doubt because I have not installed it yet or looked for this particularity, but if I want to leave the server I use to switch to nethserver I really need to know if this feature exist, or something that can help me with.

Best regards

1 Like

Hi @Cisqo_Timoteo,
welcome to the community.
You can manage the samba server from a windows PC with RSAT tools. Here you can build groups, but I don’t know how to use the computer groups with firewall rules. Perhaps @support_team can help more.

Restriction about what services do want to manage?
Squid, Samba, DHCP,…?

Hi @flatspin thanks for the support, i need this for proxy and DHCP service.

Hi, @m.traeumner thanks for the support it is a good idea i will see what i can do. thanks.

You can do DHCP IP reservation and set how the firewall should behave based on MAC validation.

Check some info from the docs:

IP/MAC binding

When the system is acting as DHCP server, the firewall can use the list of DHCP reservations to strictly check all traffic generated from hosts inside local networks. When IP/MAC binding is enabled, the administrator will choose what policy will be applied to hosts without a DHCP reservation. The common use is to allow traffic only from known hosts and block all other traffic. In this case, hosts without a reservation will not be able to access the firewall nor the external network.

IP/MAC binding

When MACValidation option is enabled, the firewall analyzes all the traffic based on a well-known list of IPs associated to MAC addresses. If the host generating the traffic is not inside the list, MACValidationPolicy will be applied. The list of IP/MAC association is created from DHCP reservations.

Thus, enabling MACValidation and leaving MACValidationPolicy set to drop, will block all traffic from hosts without a DHCP reservation.

For DHCP there is another possible way with a dnsmasq option dhcp-ignore=tag:!known.

You can create a template-custom in /etc/e-smith/templates-custom/etc/dnsmasq.conf with

cat > /etc/e-smith/templates-custom/etc/dnsmasq.conf/33mac.filtering  <<  EOL

# 33 mac-filtering
# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.


(be aware that dnsmasq.conf is a directory)

then expand-template /etc/dnsmasq.conf and systemctl restart dnsmasq

With the file /etc/ethers you can controll mac-adresses

For details see:

1 Like

Hi, @dnutan thanks for the support…i will see if it works