Le lun 11/08/2003 à 15:05, Ramin Dousti a écrit : > You know that the MAC address is only visible on the same ethernet link. > Having said this, How are the IP addresses being assigned? If it's by > DHCP, then you can assign each MAC, a well-known IP and filter based on > that IP... A malicious user can reconfigure manually its interface, or use ARP cache poisoning to redirect trafic in order to listen/tamper/redirect trafic or spoof another host. A good way to enforce IP/MAC associations is static ARP cache : arp -s <HW> <IP> [-i <iface>] Or : arp -f <file> [-i <iface>] This way, you're sure your firewall won't answer a request from an IP that uses a wrong MAC address. > If not, then you must be on the same ethernet link and just > use the the mac module (see "man iptables" and look for mac). Netfilter mac match brings a second security layer that is redundant with static ARP cache (redundancy is good for security stuff) especially for logging MAC address change attempts. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
