On Wed, 2007-10-31 at 20:19 +0100, Pascal Hambourg wrote: > Hello, > > Matt Zagrabelny a écrit : > > > > If so, you can do MAC filtering (performance shouldn't matter as the MAC > > address is in the link header) > > Can you please elaborate about the relationship beween filtering > performance and the address layer ? There is nothing to elaborate on. ;) The frame contains the MAC address. This is what iptables will be looking at. If the box running iptables is on the same network/vlan as the rest of the traffic it is expecting to filter, then it will have MAC addresses of actual hosts, however, if traffic is coming from a different network/vlan then said traffic will have been routed and the frame will have changed, thus the MAC address will be the MAC of the network boundary, namely the router/gateway. -- Matt Zagrabelny - mzagrabe@xxxxxxxxx - (218) 726 8844 University of Minnesota Duluth Information Technology Systems & Services PGP key 1024D/84E22DA2 2005-11-07 Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2 He is not a fool who gives up what he cannot keep to gain what he cannot lose. -Jim Elliot
Attachment:
signature.asc
Description: This is a digitally signed message part
