On Thu, May 31, 2012 at 10:54:11AM +0000, Morten Gade Sørensen wrote: > Hi there > > That would be rather impossible, as MAC adresses exists only on Layer 2, > which are "invisible" from HAproxy (unless the source device and Haproxy are > in the same broadcast domain/VLAN/subnet).
Also, there is nothing easier than spoofing MAC addresses ! I remember a few years ago, we were four in an office with a single RJ45 on the wall, configured with MAC security and filtering to only one MAC. We simply plugged a switch with MAC learning disabled and all used the same MAC. It worked beautifully since each PC simply ignored destination IP addresses that was not for it. The other common trick consists in routing your traffic via an authorized node (generally the router if you accept remote hosts too). And MAC can change multiple times in the middle of a session since it's unrelated to the layer 3. So if you apply MAC rules, you need to consider one of the MAC that is seen at one point and that the system reports (eg: the one of the first ACK packet validating the connection), but it can easily change afterwards without any control. Netfilter can filter each packet based on the MAC. This allows you to ensure that the source IP the device pretends to be really matches the MAC address it presents. Once you enforce this at the packet level, you can safely use the IP addresses to filter at L3/L4. Regards, Willy
