[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: PF MAC Filter



Yeah.. and my openbsd box is the router.  I have 2 qfe cards in it.  I'm
just wanting a way to where I can ensure (dosn't have to be 100% mind you)
that only some people can get through the box.  The DHCP server only gives
out static IP Addresses, according to the MAC Address.
I don't want to spend a bunch of time making it 100% secure, but I'm wanting
to accomplish two main things.  Control access a little, and make sure that
someone dosn't give their machine a static IP Address and do network traffic
through the router.
Just a little pre-filtering to stop the ignorant people, and the wanna-be
hackers.
-Shawn
-----Original Message-----
From: Stefan Sonnenberg-Carstens [mailto:s.sonnenberg@coolspot.de]
Sent: Wednesday, February 26, 2003 9:12 AM
To: Shawn Mitchell; pf@benzedrine.cx
Subject: Re: PF MAC Filter
No, it is not possible.
And you should remember that a setup like that can cut you off by mistake;
everyone who had to deal with a Fw-1 and the f***ng arp-cache
should know ...
And another thing :
In Ethernet terms, you can only see MAC's on your ethernet segment (eg a
router,switch)
etc, so if you a have a router in front of your pf firewall, MAC filterering
can only make sure,
that this is the router your are dealing with.
As far as I remember, you will never see the MAC's of hosts BEFORE the
router.
So to mee it seems only like some anti-spoofing techniq with limited
ability;
Are you sure you want that ?
Perhaps you should specify your intention a bit clearer.
----- Original Message -----
From: "Shawn Mitchell" <shawnm@iodamedia.net>
To: <pf@benzedrine.cx>
Sent: Wednesday, February 26, 2003 10:26 AM
Subject: PF MAC Filter
>
> Is it possable to specify a MAC Address filter?
>
> And just to go ahead and cut off the trolls on MAC Filtering...  I know
you
> can change your MAC address.  I don't care that you can.  I'm wanting to
> place a few filters that will stop 98% of the people out there, and put
> something in place to where I can force an IP Address to be used only by a
> specified network interface.
>
>
>