how to allow by MAC
Ian Smith
smithi at nimnet.asn.au
Wed Jun 13 08:56:41 UTC 2012
On Mon, 11 Jun 2012 15:18:18 -0700, Randal L. Schwartz wrote:
> >>>>> "Bill" == Bill Yuan <bycn82 at gmail.com> writes:
> Bill> I want to create a white list MAC address, Only the machine which it's MAC
> Bill> in the white list will be allowed, all others will be blocked.
>
> Bad idea. Since (a) every MAC address that *is* allowed is transmitted
> in the clear and (b) it's trivial to spoof a MAC address.
>
> This. is. no. security.
Indeed, that's right Randal. But I got the impression from Bill's mails
that this is more likely just something inside his internal network.
> Please stop even trying.
Well I don't think learning how to use ipfw properly at layer2 is a bad
idea in itself, and I wouldn't want to discourage anyone from that.
For some years I ran a filtering transparent bridge with ipfw + dummynet
for a small network of about 20 mostly W98, XP and Mac boxes sharing one
slow ADSL gateway between various assorted community groups (talk about
herding cats! :) and MAC filtering was one of the handiest tools when
some box or other got owned (again!) by some virus and started spewing
spam, provider complains and/or cuts access .. you know the deal.
In that sort of environment, none of the punters had any clue about
forging MACs or anything vaguely like that, and it stopped people
randomly plugging boxes into the network. Horses for courses.
I replied in more detail to another from Bill privately, copy follows.
cheers, Ian
More information about the freebsd-questions
mailing list