Re: [m0n0wall] Firewall Rules by MAC Address. IS it possible?

From:	Chris Buechler <cbuechler at gmail dot com>
Cc:	"m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Firewall Rules by MAC Address. IS it possible?
Date:	Thu, 30 Sep 2010 21:39:27 -0400

On Thu, Sep 30, 2010 at 9:02 PM, Heinz Teichmann
<heinz dot teichmann at wanews dot com dot au> wrote:
> If it is such a big issue a proper proxy appliance would be the way to go?!?
> Or is it a cost issue? Most enterprises I worked for used proxies for that and it worked.
>

Yes that's the way to properly control such things, requiring using a
proxy with authentication for all users. But going on the theme of the
rest of this thread, you could say "but then he/she can just get
someone else's credentials!"

That's why you take the approach of not trying to come up with a
bulletproof technical solution to a people problem, which is
impossible - there are always going to be ways to get around
something. If you assign a DHCP reservation, let them know they are
not authorized for web access, and the person goes to the extent of
changing their IP and/or MAC to get around restrictions you have in
place, that's generally grounds for termination.