[fw-wiz] Link level security with static arp tables

From: Debian User (nospam_at_for.us)
Date: 10/12/03

Next message: Luke Butcher: "Re: [fw-wiz] Link level security with static arp tables"

Previous message: hermit921: "Re: [fw-wiz] [OT] tcpdump parsing"
Next in thread: Luke Butcher: "Re: [fw-wiz] Link level security with static arp tables"
Reply: Luke Butcher: "Re: [fw-wiz] Link level security with static arp tables"
Maybe reply: Sloane, David: "RE: [fw-wiz] Link level security with static arp tables"
Reply: Martin A. Brown: "Re: [fw-wiz] Link level security with static arp tables"
Reply: Ben Nagy: "RE: [fw-wiz] Link level security with static arp tables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Sun, 12 Oct 2003 15:32:14 +0300

Hello,

Problem:

[ INET ] ---- <eth1> [ NAT GATEWAY ] <eth0> --- [ LOCAL NET, 50 clients ]

I need to limit access to the gateway according to allowed MACs, ie Ethernet
frames from allowed MAC addresses are forwarded to and fro in the gateway,
but others will be dropped (and logged if possible).

I could disable arp on eht0 and use static arp tables in the gw, but that
would mean that the gateway won't answer any arp queries, hence the clients
will not be able to find it's MAC. Setting up static arp tables in clients is
not an option.

I could use netfilter MAC matching support in the kernel, but that would mean
I have to add 50 rules to the ruleset adding considerable overhead. Moreover,
it is a link level problem that sould be solved in the same level, so
netfilter is not an attractive option. Please comment if I'm wrong.

Any solutions?

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Luke Butcher: "Re: [fw-wiz] Link level security with static arp tables"

Previous message: hermit921: "Re: [fw-wiz] [OT] tcpdump parsing"
Next in thread: Luke Butcher: "Re: [fw-wiz] Link level security with static arp tables"
Reply: Luke Butcher: "Re: [fw-wiz] Link level security with static arp tables"
Maybe reply: Sloane, David: "RE: [fw-wiz] Link level security with static arp tables"
Reply: Martin A. Brown: "Re: [fw-wiz] Link level security with static arp tables"
Reply: Ben Nagy: "RE: [fw-wiz] Link level security with static arp tables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: IpTraffic encloded in EthBroadcasts should be routed
... The Sender doenst know the gateway IP and also not the ... :Gateway mac. ... Thats the reason why Its an broadcast. ... You mean something like ICMP Router Discovery, ...
(comp.dcom.lans.ethernet)
Re: Convention User Woas
... gateway, they're not able to reach off the LAN either, as most operating ... Where they st00pid enough to not spoof the MAC address as well? ... If this is a _wired_ network, you can set your switch so that it knows on ... with some APs you can set them so there is no client to client traffic ...
(comp.dcom.lans.ethernet)
Re: Wireless laptop roaming through various access points
... Whichever interface has the default route pointing to it, ... It is possible to assign more than one default gateway in the ... What needs to change is the ARP table, which maps the MAC address to ...
(alt.internet.wireless)
RE: [fw-wiz] Link level security with static arp tables
... > I need to limit access to the gateway according to allowed ... according to MAC address" is a techical requirement, ... > tables in clients is ...
(Firewall-Wizards)
Re: Network Horror
... >gateway, and I have tried a route add 0.0.0.0 through the same gateway ... but WinME and WinXP machines can not. ... The IP gets the MAC and communications are MAC to MAC so if you ...
(comp.unix.sco.misc)