> If you were considering the ability to allow DNS names in rulesets,
would the use of (optional) permitted MAC addresses per
> domain name decrease the security risk or just be an increase in the
configuration overheads with no real advantage ?
It wouldn't do much for you. The only upstream MAC address your
firewall sees (on the WAN port) is whatever router passes the traffic to
it. If that router is 00 DE AD BE EF 00, that is the only MAC address
you could really filter on. I suppose if you're on some sort of shared
medium like cable, you might want to filter out other stuff on the
"cable LAN," but dropping IP will do that just fine...
Unless my caffeine isn't working yet and my knowledge of IP networking
has totally gone down the toilet this morning. ;)