>>>>> "PH" == Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> writes: PH> Hello, Wakko Warner a écrit : >> Box A -> (eth1)firewall/router(eth0) -> Box B firewall/router does >> not trust eth1 and uses MAC addresses to allow access, so it does >> this: -I FORWARD -j ACCEPT -i eth1 -m mac --mac BOXAMAC -I FORWARD >> -j DROP -i eth1 PH> If the firewall does not trust what is beyond eth1, MAC filtering PH> is pointless : a MAC address can be easily sniffed and spoofed. Unless the switches use MAC-address-based security... Of course these days you can let the switches sniff DHCP and enforce IP's as well. /Benny
