Derick Anderson napisał(a):
-----Original Message-----
From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of
Piotr Holubniak
Sent: Thursday, September 29, 2005 1:22 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: iptables spof address problem
[snip]
This is not a question of routing Layer 2. All computers are
in one local network in the same subnet, so there is no need
to route pakets.
This seems to me that even if data arrives to NIC of Linux
computer with netfilter, from computer with MAC address, this
MAC address is unseen to netfilter, because before it is
passed to netfilter, TCP/IP stack tries to resolve MAC
sending ARP lookup. Sa finally netfilter gets wrong MAC.
Not sender but ARP lookup.
Tell me if I am wrong.
Regards
PiotrH
Netfilter is designed to improve security of network or computer system.
I well designed network, such mechanism like "security port" in switch,
doesn't allow you to spoof MAC address. Simply because it limits number
of MAC addresses which can leave port to only one, and this one is
registered and cannot be changed without supervisors pertmition.
In described by me scenario, attacker doesn't need to spoof MAC address
to be unvisible, it is enaught to spoof IP. So funcjonality of "security
port" is very limited. I belive that netfilter should allways display
real MAC address. I don't know how to changet it.
Regards
PiotrH
If there's no routing involved and your hosts are on the same subnet,
then it is trivial to spoof the MAC of another machine, especially in
the scenario you describe. What you say is correct. It is not the fault
of netfilter or the kernel stack, it's just impossible to tell the
difference between two computers sending the exact same packet on the
same subnet.
It's like printing out two copies of the same paper on two different
copiers. Which one came from which copier? You can't tell. In fact it
would probably be easier to figure that out as opposed to MAC spoofing.
Derick Anderson
