[ previous ] [ next ] [ threads ]
 From:  sylikc <sylikc at gmail dot com>
 To:  Robert Bialecki <robert at mpiwifi dot com>
 Cc:  Chris Buechler <cbuechler at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] MAC Address FILTER
 Date:  Thu, 21 Oct 2004 11:03:37 -0700

m0n0 doesn't have any MAC filtering per se... but if you want to
implement some type of layer2 protection, you can make use of the
captive portal.  It's definitely not as secure though but I use it as
a workaround in one of my environments where someone could easily
hijack my ethernet line and gain access to my site2site VPN.

In my network, I set up the captive portal on the LAN.  I set MAC
address passthrough for all my trusted hosts.  You have to set this
list up manually and enter it into the pass-thru mac address section. 
(Just remember as you step through this, the captive portal wasn't
really designed for this).  Now, set up the login page as a flat HTML
with no forms and no buttons.

The idea is that anyone who opens up a browser and connects to
something will bring up m0n0's captive portal page.  Without any
buttons, there's no way to bypass that page.  However, if your
"trusted" computer is in the MAC pass-thru table, it will be allowed
through regardless.  One glitch of this seems like you NEED to open up
a web browser to start off your session for the trusted hosts.  Now, I
think I could get by that by not setting any session timeout, but I
didn't feel like keeping sessions open.  I use "keep-alive" utils on
my hosts to ensure it doesn't time out.

Now you could say that if someone created a button and posted to m0n0,
then they could get through.  I think I'll try it tonight, probably
enable it with a fake RADIUS address, making it so that noone can ever
authenticate through.  Only the MAC pass-thrus will be allowed onto
the network ;)

Have fun!


On Wed, 20 Oct 2004 20:39:07 -0400, Chris Buechler <cbuechler at gmail dot com> wrote:
> On Wed, 20 Oct 2004 14:46:49 -0600, Robert Bialecki <robert at mpiwifi dot com> wrote:
> > What is the easies way to limit access by MAC address to monowall ???
> >
> http://m0n0.ch/wall/docbook/faq-macfilt.html
> -Chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch