[fw-wiz] Link level security with static arp tables
From: Debian User (nospam_at_for.us)
To: email@example.com Date: Sun, 12 Oct 2003 15:32:14 +0300
[ INET ] ---- <eth1> [ NAT GATEWAY ] <eth0> --- [ LOCAL NET, 50 clients ]
I need to limit access to the gateway according to allowed MACs, ie Ethernet
frames from allowed MAC addresses are forwarded to and fro in the gateway,
but others will be dropped (and logged if possible).
I could disable arp on eht0 and use static arp tables in the gw, but that
would mean that the gateway won't answer any arp queries, hence the clients
will not be able to find it's MAC. Setting up static arp tables in clients is
not an option.
I could use netfilter MAC matching support in the kernel, but that would mean
I have to add 50 rules to the ruleset adding considerable overhead. Moreover,
it is a link level problem that sould be solved in the same level, so
netfilter is not an attractive option. Please comment if I'm wrong.
firewall-wizards mailing list