ipfw2 deep packet filtering
Chuck Swiger
cswiger at mac.com
Thu Aug 30 11:52:29 PDT 2007
On Aug 30, 2007, at 7:08 AM, Paul Bridger wrote:
> I would like to understand if it's possible to discover the real
> MAC address of a packet that has been NAT'd by another device.
No. You can only get the real MACs of devices by listening on the
same subnet that the traffic originates from; once it passes through
a router (with NAT enabled or not, doesn't matter), you only see the
MAC of the device which passed that traffic along.
> The scenario for using this would be for hosts on a wireless LAN
> that connect to a wireles router which NAT's their connection and
> then routes the packets to another LAN (across a wire) where a
> FreeBSD server performs firewall packet filtering via ipfw2. As
> all the connections from the hosts on the wireless LAN have had
> their MAC and IP addresses NAT'd to that of the wireless router, it
> is difficult to distinguish between hosts, unless some form of deep
> packet inspection could be performed to discover the true MAC
> address. Is this something that would be possible with ipfw2?
Nope. You'd need to do your firewall inspection of your wireless
router, not on the FreeBSD box.
--
-Chuck
More information about the freebsd-ipfw
mailing list