[ previous ] [ next ] [ threads ]
 
 From:  "Peter Parnican" <peter at procad dot sk>
 To:  "sylikc" <sylikc at gmail dot com>, "Robert Bialecki" <robert at mpiwifi dot com>
 Cc:  "Chris Buechler" <cbuechler at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] MAC Address FILTER
 Date:  Thu, 21 Oct 2004 20:15:54 +0200
...good idea! no buttons - no access :-)

Thanks for inspiration!

----- Original Message -----

> Robert,
>
> m0n0 doesn't have any MAC filtering per se... but if you want to
> implement some type of layer2 protection, you can make use of the
> captive portal.  It's definitely not as secure though but I use it as
> a workaround in one of my environments where someone could easily
> hijack my ethernet line and gain access to my site2site VPN.
>
> In my network, I set up the captive portal on the LAN.  I set MAC
> address passthrough for all my trusted hosts.  You have to set this
> list up manually and enter it into the pass-thru mac address section.
> (Just remember as you step through this, the captive portal wasn't
> really designed for this).  Now, set up the login page as a flat HTML
> with no forms and no buttons.
>
> The idea is that anyone who opens up a browser and connects to
> something will bring up m0n0's captive portal page.  Without any
> buttons, there's no way to bypass that page.  However, if your
> "trusted" computer is in the MAC pass-thru table, it will be allowed
> through regardless.  One glitch of this seems like you NEED to open up
> a web browser to start off your session for the trusted hosts.  Now, I
> think I could get by that by not setting any session timeout, but I
> didn't feel like keeping sessions open.  I use "keep-alive" utils on
> my hosts to ensure it doesn't time out.
>
> Now you could say that if someone created a button and posted to m0n0,
> then they could get through.  I think I'll try it tonight, probably
> enable it with a fake RADIUS address, making it so that noone can ever
> authenticate through.  Only the MAC pass-thrus will be allowed onto
> the network ;)
>
>
> Have fun!
>
> /sylikc
>
>
>
> On Wed, 20 Oct 2004 20:39:07 -0400, Chris Buechler <cbuechler at gmail dot com>
wrote:
> > On Wed, 20 Oct 2004 14:46:49 -0600, Robert Bialecki <robert at mpiwifi dot com>
wrote:
> > > What is the easies way to limit access by MAC address to monowall ???
> > >
> >
> > http://m0n0.ch/wall/docbook/faq-macfilt.html
> >
> > -Chris
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>