Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Blocking at firewall via MAC address

From: black () galaxy silvren com
Date: Fri, 14 Dec 2001 12:07:49 -0500 (EST)
Blocking via a MAC address is pointless, unless the laptop is directly
attached to your firewall.

Remember, MAC addresses are LOCAL to the segment, they do not travel
across networks!

If you have:

Wkstn A <----> Router <----> Wkstn B

The only MAC you will see at Wkstn A is the mac address of the router's
interface -- not Wkstn B!


On Thu, 13 Dec 2001, B. Scott Harroff wrote:


A business parter has a security requirement that only pre-identified and
approved laptops (identified by MAC address acting as a physical token) can
access a network behind a firewall.  Identification and blocking by IP
address alone is not acceptable as it could be too easily changed by a user
to match the IP address of an approved machine.

This could be done by placing a smart switch that only allows cerain MAC's
on certain ports to communicate with the firewall.  The other (cost
preferable) option would be to have the firewall block communications from
all but machines with approved MAC and IP addresses.

Does anyone have a soltion on how to block via MAC address with OpenBSD?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: