> You may also want to consider getting arpwatch. arpwatch will tell you when a particular user changes their MAC address. MAC spoofing, while more difficult than IP spoofing, is still fairly trivial and particularly in this case where you are using a "blacklist" approach for filtering MACs. So if I'm the one with MAC 00:D8:02:D8:C8:DF and I want to get around your rules, I'll get a utility to change my MAC to something that won't trigger your firewall rule, like 10:D8:02:D8:C8:DF, which I can be sure won't collide with another MAC for quite some time. > > If the particular users you are trying to filter for aren't very technical then I wouldn't worry but after two years of being a lab assistant/server admin for a network security class I tend to be a little paranoid. =) You are absolutely correct. So my immediate response to this is do the exact opposite, have the MAC of the computers that are allowed to access any thing other than the sites in question. As far as needing ARP watch to look for changes in IP, you could watch for the MAC and IP pair of allowed systems. Sure people could still get around this but they will be breaking other things too. Grant. . . .
