[fw-wiz] Link level security with static arp tables

From: Debian User (nospam_at_for.us)
Date: 10/12/03

  • Next message: Luke Butcher: "Re: [fw-wiz] Link level security with static arp tables"
    To: firewall-wizards@honor.icsalabs.com
    Date: Sun, 12 Oct 2003 15:32:14 +0300
    
    

    Hello,

    Problem:

    [ INET ] ---- <eth1> [ NAT GATEWAY ] <eth0> --- [ LOCAL NET, 50 clients ]

    I need to limit access to the gateway according to allowed MACs, ie Ethernet
    frames from allowed MAC addresses are forwarded to and fro in the gateway,
    but others will be dropped (and logged if possible).

    I could disable arp on eht0 and use static arp tables in the gw, but that
    would mean that the gateway won't answer any arp queries, hence the clients
    will not be able to find it's MAC. Setting up static arp tables in clients is
    not an option.

    I could use netfilter MAC matching support in the kernel, but that would mean
    I have to add 50 rules to the ruleset adding considerable overhead. Moreover,
    it is a link level problem that sould be solved in the same level, so
    netfilter is not an attractive option. Please comment if I'm wrong.

    Any solutions?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Luke Butcher: "Re: [fw-wiz] Link level security with static arp tables"

    Relevant Pages

    • Re: IpTraffic encloded in EthBroadcasts should be routed
      ... The Sender doenst know the gateway IP and also not the ... :Gateway mac. ... Thats the reason why Its an broadcast. ... You mean something like ICMP Router Discovery, ...
      (comp.dcom.lans.ethernet)
    • Re: Convention User Woas
      ... gateway, they're not able to reach off the LAN either, as most operating ... Where they st00pid enough to not spoof the MAC address as well? ... If this is a _wired_ network, you can set your switch so that it knows on ... with some APs you can set them so there is no client to client traffic ...
      (comp.dcom.lans.ethernet)
    • Re: Wireless laptop roaming through various access points
      ... Whichever interface has the default route pointing to it, ... It is possible to assign more than one default gateway in the ... What needs to change is the ARP table, which maps the MAC address to ...
      (alt.internet.wireless)
    • Re: Network Horror
      ... >gateway, and I have tried a route add 0.0.0.0 through the same gateway ... but WinME and WinXP machines can not. ... The IP gets the MAC and communications are MAC to MAC so if you ...
      (comp.unix.sco.misc)
    • RE: [fw-wiz] Link level security with static arp tables
      ... > I need to limit access to the gateway according to allowed ... according to MAC address" is a techical requirement, ... > tables in clients is ...
      (Firewall-Wizards)