Ray Olszewski wrote:
Actually, iptables DOES support filtering by source MAC address and in Shorewall 1.3.10 (Beta available now), it is possible to do exactly what Sanyarin is asking for.At 09:51 AM 10/30/02 +0100, Sanyarin wrote:>You can do better than this if you use a switch that allows head-end
>restriction of what IP addresses (or MAC addresses; I'm a bit hazy on how
>this works) can connect to each port, [...]
I checked the manuals of the four VH-2402S switches we use and yes, I can
restrict the use of a certain port to one ore more specific MAC adresses.
Internet access isn't restricted to certain users (since the costs are
covered by generally raising the rent). The only use of authentication
would be a reliable link between an IP adress and a user.
Would it be possible to create a ruleset that checks for MAC *and* IP
adresses?
No. The term "ruleset" normally refers to ipchains or iptables rules, and they operate at Layers 3 and 4 (IP addresses, ports, protocols), not Layer 2 (Ethernet, MAC addresses). Outside the firewalling code, you should be able to write a small program that periodically checks the router's arp cache and verifies that each IP address is associated with a valid (or a particular; depends on how you assign IP addresses) MAC address, then modifies the ipchains/iptables ruleset to allow only MAC-check-validated IP addresses to use the router.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
