Date: Thu, 30 Aug 2007 11:33:50 -0700 From: Chuck Swiger <cswiger@mac.com> To: paul@wilorc.co.uk Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 deep packet filtering Message-ID: <F4C586D9-C6D8-4852-98AF-F77116590E62@mac.com> In-Reply-To: <46D6CF7A.9080502@wilorc.co.uk> References: <46D6CF7A.9080502@wilorc.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 30, 2007, at 7:08 AM, Paul Bridger wrote: > I would like to understand if it's possible to discover the real > MAC address of a packet that has been NAT'd by another device. No. You can only get the real MACs of devices by listening on the same subnet that the traffic originates from; once it passes through a router (with NAT enabled or not, doesn't matter), you only see the MAC of the device which passed that traffic along. > The scenario for using this would be for hosts on a wireless LAN > that connect to a wireles router which NAT's their connection and > then routes the packets to another LAN (across a wire) where a > FreeBSD server performs firewall packet filtering via ipfw2. As > all the connections from the hosts on the wireless LAN have had > their MAC and IP addresses NAT'd to that of the wireless router, it > is difficult to distinguish between hosts, unless some form of deep > packet inspection could be performed to discover the true MAC > address. Is this something that would be possible with ipfw2? Nope. You'd need to do your firewall inspection of your wireless router, not on the FreeBSD box. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F4C586D9-C6D8-4852-98AF-F77116590E62>