[fw-wiz] Link level security with static arp tables

From: Debian User (nospam_at_for.us)
Date: 10/12/03

  • Next message: Luke Butcher: "Re: [fw-wiz] Link level security with static arp tables"
    To: firewall-wizards@honor.icsalabs.com
    Date: Sun, 12 Oct 2003 15:32:14 +0300
    
    

    Hello,

    Problem:

    [ INET ] ---- <eth1> [ NAT GATEWAY ] <eth0> --- [ LOCAL NET, 50 clients ]

    I need to limit access to the gateway according to allowed MACs, ie Ethernet
    frames from allowed MAC addresses are forwarded to and fro in the gateway,
    but others will be dropped (and logged if possible).

    I could disable arp on eht0 and use static arp tables in the gw, but that
    would mean that the gateway won't answer any arp queries, hence the clients
    will not be able to find it's MAC. Setting up static arp tables in clients is
    not an option.

    I could use netfilter MAC matching support in the kernel, but that would mean
    I have to add 50 rules to the ruleset adding considerable overhead. Moreover,
    it is a link level problem that sould be solved in the same level, so
    netfilter is not an attractive option. Please comment if I'm wrong.

    Any solutions?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Luke Butcher: "Re: [fw-wiz] Link level security with static arp tables"