Firewall Wizards mailing list archives
Re: Blocking at firewall via MAC address
From: "Mark Coleman" <mcoleman () uniontown com>
Date: Fri, 14 Dec 2001 10:53:17 -0800
Hi, you probably already know that MAC addresses are stripped as packets pass through routers. All MAC addresses incoming to your network from the Internet will possess the MAC of the last upstream router. Are all of your laptops physically connected to the network that is also attached to the outside interface of your firewall? That's the only way this will be effective. Also note that I have an application called EITHER that will let you choose your MAC address on Win9X machines for a network interface. Using MAC address filtering is not much better than IP filtering, except that spoofing at layer 2 requires that the spoofer be physically connected to your firewalls outside connected network, not on the other side of a router. But, this is where your users are anyway if you are asking this question, right? NEVER RELY ON NON-SECURITY DEVICES FOR SECURITY PURPOSES. If you place a switch on the Interface that blocks MAC addresses, you are only protected to the level that the switch can be compromised with one of these backdoor passwords like NBase and others used to have for example. Use a security device to do a security task. I have had good success with Linux by turning off ARP on the internface, and specifically ADDING entries of devices that were allowed to talk. YOU HAVE TO ADD THE LINUX TO THE OTHER MACHINE TOO, as turning off ARP on an interface makes it not send OR recieve ARP traffic, others won't see YOUR MAC address otherwise. Hope this helps you! -Mark Coleman ----- Original Message ----- From: B. Scott Harroff <Scott.Harroff () att net> To: <firewall-wizards () nfr com> Sent: Thursday, December 13, 2001 11:10 AM Subject: [fw-wiz] Blocking at firewall via MAC address
A business parter has a security requirement that only pre-identified and approved laptops (identified by MAC address acting as a physical token)
can
access a network behind a firewall. Identification and blocking by IP address alone is not acceptable as it could be too easily changed by a
user
to match the IP address of an approved machine. This could be done by placing a smart switch that only allows cerain MAC's on certain ports to communicate with the firewall. The other (cost preferable) option would be to have the firewall block communications from all but machines with approved MAC and IP addresses. Does anyone have a soltion on how to block via MAC address with OpenBSD? _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Blocking at firewall via MAC address, (continued)
- Re: Blocking at firewall via MAC address Stephen P. Berry (Dec 16)
- Re: Blocking at firewall via MAC address Mark Brown (Dec 17)
- Re: Blocking at firewall via MAC address R. DuFresne (Dec 16)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 16)
- Re: Blocking at firewall via MAC address Ryan McBride (Dec 17)
- Re: Blocking at firewall via MAC address Paul Cardon (Dec 17)
- Re: Blocking at firewall via MAC address David Lang (Dec 17)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 17)
- potential network attacks Daniel Handley (Dec 14)
- Re: potential network attacks black (Dec 15)
- Re: potential network attacks Paul Robertson (Dec 16)
- RE: potential network attacks Wayne T Work (Dec 15)
- RE: potential network attacks John Adams (Dec 16)