On Thu, 29 Sep 2005, Piotr Holubniak wrote:
In described by me scenario, attacker doesn't need to spoof MAC address to be
unvisible, it is enaught to spoof IP. So funcjonality of "security port" is
very limited. I belive that netfilter should allways display real MAC
address. I don't know how to changet it.
iptables sees the MAC address as it was received by the Linux box.
A hacker spoofing is not invisible in a "security port" enabled network.
He can always be traced to his exact port from the sending MAC address as
the switch prevents him from sending packets with another source MAC.
However, if the packet travels via a router before it reaches the firewall
then the original MAC addressing is implicitly lost by the routing (this
is a fact, nothing to be done about), and in such case tracing of the
actual user becomes a little harder at the firewall. But it can still be
traced to the originating switch port by looking at the packet in (or
before) the router.
It's like printing out two copies of the same paper on two different
copiers. Which one came from which copier? You can't tell. In fact it
would probably be easier to figure that out as opposed to MAC spoofing.
Bad example. Paper copiers are not exact and it is possible to determine
which copy was made on which copier by analyzing the errors in the copy.
Regards
Henrik
