On 10/23/10 17:19, Scott Mayo wrote:
i.e. If MAC address 00:11:22:33:44:55 is given IP address 192.168.0.1 by DHCP then that should be the only combo that can get to the outside world. If the IP address is changed to something else or if another machine that has a different MAC address is given the IP address 192.168.0.1 statically, then in neither situation should the machine be able to get out to the world.
I would suggest that you reverse your logic a bit. Only allow the machines to access the internet if the MAC and IP address are correct. Any other combination should fail.
This is the old adage of "allow what you want and block the rest" not "block what you want and allow the rest". It is too easy to change an IP and / or MAC address to get around the filters that selectively block.
Grant. . . . -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
