Date: Mon, 31 Dec 2001 22:10:48 +0100 From: "Alson van der Meulen" <alm@flutnet.org> To: freebsd-isp@freebsd.org Subject: Re: access restriction by MAC Message-ID: <20011231221048.C3448@alm.xs4all.nl> In-Reply-To: <NEBBIGLHNDFEJMMIEGOOIELOEGAA.peter@skyrunner.net> References: <NEBBIGLHNDFEJMMIEGOOIELOEGAA.peter@skyrunner.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Brezny(peter@skyrunner.net)@2001.12.31 09:02:46 +0000: > I'm looking for a way to restrict connectivity by mac address. > > Any suggestions on this? > > Ideally, a package that integrated usage based billing would be > superb, but I'd settle just for something that would only allow access > to specific mac addresses. I recommend against using MAC addresses for authentication, since it's quite easy to change them, just like IP addresses (look at the lladdr option in ifconfig(8)). The only way it might be useful is to force certain MAC on certain switch ports, but it would still only mean it comes from that particular switch port. If you can't control the switches it's connect to, using MAC addresses for firewalling/billing is near to useles, since it's just as spoofable as an IP address. If you control all the client hosts, just filter/bill by IP address, and hope the users don't change the IP address. (even arpwatch is rather useles against 'intruders', since they could just use a valid MAC/IP pair). > Is there a way to implement this with ipfw? ipfw is, as the name implies, IP firewall. MAC addresses are on the link-level (ethernet), so filtering by MAC does not belong in the IP firewalling code IMHO, though Linux' netfilter code does deal with MAC addresses. It might be possible to do it with some sysctl knob, and using static ARP entries. IIRC, there was a thread on a freebsd list on this topic some time ago, don't remember what list and when though. Searching the archives might help. just my 0.02 euro, Alson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011231221048.C3448>