Re: Blocking at firewall via MAC address

[David Lang <david.lang () digitalinsight com>]

while this isn't a foolproof solution one thing you could do is to use
DHCP to hand out addresses.

create two sets of definitions in DHCP

1. known MAC addresses which are given addresses on the proper subnet
(potentially even fixed addresses per MAC so that you can have static DNS
for these machines as well)

2. unknown MAC addresses which are given addresses on another subnet that
isn't allowed through the firewall

David Lang



 On Sat, 15 Dec 2001, B. Scott Harroff wrote:

> Date: Sat, 15 Dec 2001 16:51:31 -0500
> From: B. Scott Harroff <Scott.Harroff () att net>
> To: firewall-wizards () nfr com
> Subject: Re: [fw-wiz] Blocking at firewall via MAC address
>
> Wizards,
>
> I apologize again for my lack of clarification and apparent growing
> frustration.  I appreciate the Wizards re-confirming my current understating
> of this technique and its limitations. However, my question was not "Please
> inform me of the reasons blocking by MAC address will not work, should not
> be used, or how to circumvent it".
>
> The business partner has a simple requirement - if the laptops MAC address
> does not match a list of predetermined addresses, it does not pass though
> the firewall.  In my opinion this requirement is over design for the
> environment, but I will meet it.
>
> If there is a wizard that knows how to meet this requirement with OpenBSD
> (2.9 or 3.0) / IPFilter, I'd really like to hear from you.   If not, I will
> simply implement a switch that will meet the business partner's requirement.
>
> My apologies in advance if I've offended anyone with my frankness.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards