From owner-freebsd-questions@FreeBSD.ORG Sun Jun 17 15:39:21 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BB98F106566B for ; Sun, 17 Jun 2012 15:39:21 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 64BB38FC0A for ; Sun, 17 Jun 2012 15:39:21 +0000 (UTC) Received: by vbmv11 with SMTP id v11so3001888vbm.13 for ; Sun, 17 Jun 2012 08:39:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Vl7hL8bLl91atbo3A3f8s+9GuIEinKpoHlqU7d4W6kA=; b=GWKLEcl1jqP6KdX4R7tEyf/OgXYVR0VWwdukBKV0ElabH0MpsfdQ9JcFQCJPBHVsFD 2LtAxjI3W2O0TUCLqxV7PuiGt9do7wdyyFKPvwvkwihczZ6K/st1ZOo6aoHGY1KNbx1Y EY6IB2h80kSOR4UeyDULR3exuhSWKZQfZgjXN6wDDVrn20+uYTTYSr4/eZF0mkbeaVC/ L+TgA3cO2Gr55copbvAvDcGkY+walFMhrvgFJ2cSh4bIZRdXw7ZobdUxkBgxPYHd0MTs v78WM/TnVi3l/T8C88uNDztgeJyfLFHnUZNVa5u2Er8bvrYPxjJVNtVbDdYK6JL45PAw n1+Q== MIME-Version: 1.0 Received: by 10.52.95.225 with SMTP id dn1mr5134916vdb.99.1339947554977; Sun, 17 Jun 2012 08:39:14 -0700 (PDT) Received: by 10.220.214.70 with HTTP; Sun, 17 Jun 2012 08:39:14 -0700 (PDT) In-Reply-To: <20120613182325.K46641@sola.nimnet.asn.au> References: <20120610120041.4D0F610657C3@hub.freebsd.org> <20120611025332.N46641@sola.nimnet.asn.au> <863961ze51.fsf@red.stonehenge.com> <20120613182325.K46641@sola.nimnet.asn.au> Date: Sun, 17 Jun 2012 23:39:14 +0800 Message-ID: From: Bill Yuan To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org, "Brian W." , "Randal L. Schwartz" Subject: Re: how to allow by MAC X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2012 15:39:21 -0000 On Wed, Jun 13, 2012 at 4:56 PM, Ian Smith wrote: > On Mon, 11 Jun 2012 15:18:18 -0700, Randal L. Schwartz wrote: > > >>>>> "Bill" == Bill Yuan writes: > > Bill> I want to create a white list MAC address, Only the machine > which it's MAC > > Bill> in the white list will be allowed, all others will be blocked. > > > > Bad idea. Since (a) every MAC address that *is* allowed is transmitted > > in the clear and (b) it's trivial to spoof a MAC address. > > > > This. is. no. security. > > Indeed, that's right Randal. But I got the impression from Bill's mails > that this is more likely just something inside his internal network. Filtering by MAC is not secure, I agree. but at least secure enough for a internal network. And I am quite sure what I want to archive. I am really want to know how to FILTER BY MAC . > > > Please stop even trying. > > Well I don't think learning how to use ipfw properly at layer2 is a bad > idea in itself, and I wouldn't want to discourage anyone from that. > > For some years I ran a filtering transparent bridge with ipfw + dummynet > for a small network of about 20 mostly W98, XP and Mac boxes sharing one > slow ADSL gateway between various assorted community groups (talk about > herding cats! :) and MAC filtering was one of the handiest tools when > some box or other got owned (again!) by some virus and started spewing > spam, provider complains and/or cuts access .. you know the deal. > > In that sort of environment, none of the punters had any clue about > forging MACs or anything vaguely like that, and it stopped people > randomly plugging boxes into the network. Horses for courses. > > I replied in more detail to another from Bill privately, copy follows. Thanks. I saw your email already .very helpful . I will continue to try in that way . and share with all here in the feature.:) cheers, Ian