> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Taylor, Grant > Sent: Tuesday, August 30, 2005 1:23 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Allowing access only some sites - onely some mac address > > > You may also want to consider getting arpwatch. arpwatch > will tell you when a particular user changes their MAC > address. MAC spoofing, while more difficult than IP spoofing, > is still fairly trivial and particularly in this case where > you are using a "blacklist" approach for filtering MACs. So > if I'm the one with MAC 00:D8:02:D8:C8:DF and I want to get > around your rules, I'll get a utility to change my MAC to > something that won't trigger your firewall rule, like > 10:D8:02:D8:C8:DF, which I can be sure won't collide with > another MAC for quite some time. > > > > If the particular users you are trying to filter for aren't very > > technical then I wouldn't worry but after two years of being a lab > > assistant/server admin for a network security class I tend to be a > > little paranoid. =) > > You are absolutely correct. So my immediate response to this > is do the exact opposite, have the MAC of the computers that > are allowed to access any thing other than the sites in > question. As far as needing ARP watch to look for changes in > IP, you could watch for the MAC and IP pair of allowed > systems. Sure people could still get around this but they > will be breaking other things too. > > > > Grant. . . . Yes, that is the best way to do things. The university I graduated from implemented whitelist MAC-based network access very effectively and would kill your port if you tried getting around it. Having managed switches helped quite a bit. Derick
