Date: Wed, 13 Jun 2012 18:56:27 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: "Randal L. Schwartz" <merlyn@stonehenge.com> Cc: freebsd-questions@freebsd.org, Bill Yuan <bycn82@gmail.com>, "Brian W." <brian@brianwhalen.net> Subject: Re: how to allow by MAC Message-ID: <20120613182325.K46641@sola.nimnet.asn.au> In-Reply-To: <863961ze51.fsf@red.stonehenge.com> References: <20120610120041.4D0F610657C3@hub.freebsd.org> <20120611025332.N46641@sola.nimnet.asn.au> <CAC%2BJH2w6B7fXu6tvcJ8t1FZbPb7pFQVbSwk93r-9JRYpFy2hcw@mail.gmail.com> <CADV=szWbNfW-MaKi5heamPNR3qz4xiY62ynm6BgK=huPEx=K_w@mail.gmail.com> <CAC%2BJH2xcqcDR%2B1y6zwMQ-Jqy%2BzoB2MgnM%2Bb4Nz8AMc3P-gksHw@mail.gmail.com> <863961ze51.fsf@red.stonehenge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 11 Jun 2012 15:18:18 -0700, Randal L. Schwartz wrote: > >>>>> "Bill" == Bill Yuan <bycn82@gmail.com> writes: > Bill> I want to create a white list MAC address, Only the machine which it's MAC > Bill> in the white list will be allowed, all others will be blocked. > > Bad idea. Since (a) every MAC address that *is* allowed is transmitted > in the clear and (b) it's trivial to spoof a MAC address. > > This. is. no. security. Indeed, that's right Randal. But I got the impression from Bill's mails that this is more likely just something inside his internal network. > Please stop even trying. Well I don't think learning how to use ipfw properly at layer2 is a bad idea in itself, and I wouldn't want to discourage anyone from that. For some years I ran a filtering transparent bridge with ipfw + dummynet for a small network of about 20 mostly W98, XP and Mac boxes sharing one slow ADSL gateway between various assorted community groups (talk about herding cats! :) and MAC filtering was one of the handiest tools when some box or other got owned (again!) by some virus and started spewing spam, provider complains and/or cuts access .. you know the deal. In that sort of environment, none of the punters had any clue about forging MACs or anything vaguely like that, and it stopped people randomly plugging boxes into the network. Horses for courses. I replied in more detail to another from Bill privately, copy follows. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120613182325.K46641>