Re[2]: [m0n0wall] MAC filtering in firewall rules

From:	Dinesh Nair <dinesh at alphaque dot com>
To:	Michal Harajda <root at unlockers dot sk>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re[2]: [m0n0wall] MAC filtering in firewall rules
Date:	Wed, 19 May 2004 17:51:06 +0800 (MYT)

On Wed, 19 May 2004, Michal Harajda wrote:

> its a problem, because clients with disabled internet access use ip
> addresses of not active clients with internet access. And I cannot do
> anything.

one way of perhaps trying to do what you want to do is by using a
side-effect of the captive portal with the following steps:

1. make sure the captive portal interface is not bridged
2. turn on the captive portal on the interface
3. when uploading a portal page, omit the accept button
4. explicitly add the allowed mac addresses under pass-through mac

now only mac addresses with an explicit pass-through will be allowed thru,
but others will be thrown up the portal page (which may contain a warning
notice) without an accept button.

do note however that this is not a fool-proof manner because someone could
still forge a http request to m0n0wall and subvert this.

however, once i have added in radius support for the captive portal,
things _may_ (no promises) be different.

Regards,                           /\_/\   "All dogs go to heaven."
dinesh at alphaque dot com                (0 0)    http://www.alphaque.com/
+==========================----oOO--(_)--OOo----==========================+
| for a in past present future; do                                        |
|   for b in clients employers associates relatives neighbours pets; do   |
|   echo "The opinions here in no way reflect the opinions of my $a $b."  |
| done; done                                                              |
+=========================================================================+