[ previous ] [ next ] [ threads ]
 
 From:  "Arturas Satkovskis" <arsatk at delfi dot lt>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] MAC filtering in firewall rules
 Date:  Wed, 19 May 2004 23:37:55 +0300 
I am also much interested in MAC filtering as we run WiFi infrastructure
throug client bridges, where bridges substitute MAC of host behind it with
its own. Users have no chance to manipulate the final MAC address of their
packets (or at least I think so :).

Actually ipfw according to the man page could filter according to
source/destination MAC
Wouldn't it be reasonable to simply advance GUI to allow filtering according
to  dst-mac/src-mac 

Regards,

Arturas

-----Original Message-----
From: Adam Nellemann [mailto:adam at nellemann dot nu] 
Sent: 2004 m. geguþës 19 d. 22:47
To: Michal Harajda
Cc: Dinesh Nair; m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] MAC filtering in firewall rules

Michal Harajda wrote:
> Mr. Dinesh,
> 
> ok I will try this, and let u know
> 
> Wednesday, May 19, 2004, 11:51:06 AM, you wrote:
> 
> 
> DN> On Wed, 19 May 2004, Michal Harajda wrote:
> 
> 
>>>its a problem, because clients with disabled internet access use ip 
>>>addresses of not active clients with internet access. And I cannot do 
>>>anything.
> 
> 
> DN> one way of perhaps trying to do what you want to do is by using a 
> DN> side-effect of the captive portal with the following steps:
> 
> DN> 1. make sure the captive portal interface is not bridged 2. turn 
> DN> on the captive portal on the interface 3. when uploading a portal 
> DN> page, omit the accept button 4. explicitly add the allowed mac 
> DN> addresses under pass-through mac
> 
> DN> now only mac addresses with an explicit pass-through will be 
> DN> allowed thru, but others will be thrown up the portal page (which 
> DN> may contain a warning
> DN> notice) without an accept button.
> 
> DN> do note however that this is not a fool-proof manner because 
> DN> someone could still forge a http request to m0n0wall and subvert this.
> 
> DN> however, once i have added in radius support for the captive 
> DN> portal, things _may_ (no promises) be different.
> 
> DN> Regards,                           /\_/\   "All dogs go to heaven."
> DN> dinesh at alphaque dot com                (0 0)    http://www.alphaque.com/
> DN> +==========================----oOO--(_)--OOo----==================
> DN> +========+
> DN> | for a in past present future; do                           
> DN> |   for b in clients employers associates relatives neighbours pets;
do   |
> DN> |   echo "The opinions here in no way reflect the opinions of my $a
$b."  |
> DN> | done; done                                                 
> DN> +=================================================================
> DN> +========+
> 
> 
> 

If I remember correctly (correct me if I'm wrong Dinesh?) This approach will
require the clients to initate their WAN access with a HTTP request, which
may be a problem for some users (such as if they use a mailchecker or
similar non-http util in their startup
folder/script.)

Adam.

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch