[ previous ] [ next ] [ threads ]
 From:  "Braden McGrath" <braden at big dash geek dot net>
 To:  "Dave Evans" <dave dot whangarei at gmail dot com>, "Peter Allgeyer" <allgeyer at web dot de>
 Cc:  "Monowall List" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] How to track a changing external IP to access thewebGUI
 Date:  Tue, 19 Jul 2005 09:33:20 -0400
> If you were considering the ability to allow DNS names in rulesets,
would the use of (optional) permitted MAC addresses per
> domain name decrease the security risk or just be an increase in the
configuration overheads with no real advantage ?

It wouldn't do much for you.  The only upstream MAC address your
firewall sees (on the WAN port) is whatever router passes the traffic to
it.  If that router is 00 DE AD BE EF 00, that is the only MAC address
you could really filter on.  I suppose if you're on some sort of shared
medium like cable, you might want to filter out other stuff on the
"cable LAN," but dropping IP will do that just fine...

Unless my caffeine isn't working yet and my knowledge of IP networking
has totally gone down the toilet this morning.  ;)