Thanks a lot for your arguments. Nice reading :)
Gabriele.
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
http://www.sonicle.com
-= Mail sent through WebTop2 =-
Da:
Jim Klimov
A:
[email protected]
Cc:
Wayne Rasmussen
Gabriele Bulfon
Jim Sandoz
[email protected]
Data:
10 agosto 2010 11.41.22 CEST
Oggetto:
Re: RE : mac-address...
Hello, Gabrielle et al.
I'm a bit late to the argument, but still would like to add
a couple of cents:
1) As many wrote before me in other words, IPFilter
deals with Layer-3 and -4 protocols (IP / TCP/UDP/../)
while MAC addresses pertain to a different Layer 2,
particularly as implemented by Ethernet FRAMES
(which incapsulate IP PACKETS as their payload
with addition of MAC addresses, etc.).
2) There are many situations where your firewall may
not be in position to know MAC addresses of hosts -
simply because it lives in a different ethernet segment.
A basic example is the standard DMZ construct,
where you have a number of internet-facing servers
firewalled from both the internet and the corporate
network.
In some cases the external firewall can deal with NAT
for private LAN addresses - but the separate internal
firewall which routes the packets from LAN to internet
via the external NAT/firewall has already removed
original MAC addresses. Because this is a different
segment, and same packets are incapsulated into
new frames. And you're lucky if this is also Ethernet,
and not some ATM domain ;)
3) There are also situations where your firewall
deals with IPs (even with dynamically assigned
ones) while there is no Ethernet segment and no
individual MAC addresses in particular.
Two examples I live with daily are:
a] OpenVPN - staff log in from internet and receive
temporary private IPs (which can be assigned in a
static manner), and then can be NATed to external
networks such as those of supported customers.
MAC addresses in this case can be those of the
firewall host (which also runs OpenVPN server).
b] VirtualBox on OpenSolaris. Quite often many
VMs can share the MAC address of their host
interface, but still be very different IPs and OSes.
And in case of Virtual Desktop Infrastructure
they may also get dynamic addresses and require
NAT or filtering.
----
Having said all that, who can stop you from coding
in an architecture to filter MAC addresses in IPFilter? ;)
As a hint, libnet and derived sniffer tools like tcpdump
can display MACs. So it is all possible.
So you should take care to make it expandable
beyond Ethernet, but this seems like a doable quest.
2010-07-31 23:55, Ross Cameron ?????:
On Fri, Jul 30, 2010 at 8:06 PM, Wayne Rasmussen
[email protected]
wrote:
Doesn't this have to be done at the
router? IIRC, once a packet passes through a router, the
mac address in the packet is set to the mac of the
router.
No what you're thinking about is NAT (the source IP of the packets
looks like its the outbound IP of the router).
MAC addresses are obscured as soon as packets are routed.
Plus in 99% of cases the firewall (where original mailer wants to
block traffic based on MAC address) IS routing traffic after a fashion
anyway.
The best way to accomplish what he has in mind is to statically map
certain MAC addresses to certain IPs in the DHCP server and create
rules based on these IPs.
Should you not have a lot of control over the DHCP servers then I
would suggest running a different OS with layer2 firewalling
capabilities.
From:
[email protected]
[mailto:
[email protected]
]
On Behalf Of
Gabriele Bulfon
Sent:
Wednesday, July 21, 2010 12:14 AM
To:
[email protected]
Cc:
Jim Sandoz;
[email protected]
Subject:
Re: RE : mac-address...
Thx :) sure I do know this is an option, but I'm not
administering dhcp everywhere, so
sometimes I have dhcp admins who don't want to implement
static dhcp mapping, and I
must find a way to NAT specific machines when I can't rely
on ip.
Why can't ipfilter let me check for mac-address? Where is
the issue?
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano -
Milano - ITALY
http://www.sonicle.com
-= Mail sent through WebTop2 =-
Da:
Ross Cameron
[email protected]
A:
Gabriele Bulfon
[email protected]
Cc:
Jim Sandoz
[email protected]
[email protected]
Data:
20 luglio 2010 16.35.47 CEST
Oggetto:
Re: RE : mac-address...
Never heard of static DHCP mappings?
"Opportunity is most often missed by people because it is
dressed in overalls and looks like work."
Thomas Alva Edison
Inventor of 1093 patents, including:
The light bulb, phonogram and motion pictures.
On Tue, Jul 20, 2010 at 3:43 PM, Gabriele Bulfon
[email protected]
wrote:
This seem an old topic...is there any news about
mac-address filtering?
How could I manage dhcp-hosts nat another way?
I mean: all a company is dhcp, I don't want to do dns
lookups, but I want some PCs
to have NAT regardless of their IP.
What can I do?
Gabriele.
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano -
Milano - ITALY
http://www.sonicle.com
-= Mail sent through WebTop2 =-
----------------------------------------------------------------------------------
Da: Jim Sandoz
[email protected]
A:
[email protected]
Data: 9 febbraio 2006 21.40.59 CET
Oggetto: Re: RE : mac-address...
ipfilter DOES NOT filter on mac address.
jim
Koen Martens wrote:
I'm pretty sure ipfilter doesn't do mac
filtering..
Koen
Cordonnier Christophe wrote:
Are you sure ?
-----Message d'origine-----
De : Olivier Nicole [mailto:
[email protected]
]
Envoyé : mercredi 8 février 2006 10:36
À : Cordonnier Christophe
Cc :
[email protected]
Objet : Re: mac-address...
Ipf he can filter on mac-adress ?
I'd say it can't.
Olivier
--
+============================================================+
| |
| ?????? ???????, Jim Klimov |
| ??????????? ???????? CTO |
| ??? "??? ? ??" JSC COS&HT;|
| |
| +7-903-7705859 (cellular)
mailto:[email protected]
|
|
CC:[email protected],[email protected]
|
+============================================================+
| () ascii ribbon campaign - against html mail |
| /\ - against microsoft attachments |
+============================================================+
