What would be the best (and most efficient) way of *only* allowing certain MAC addresses in packets arriving to an interface? "blacklist" and "common" don''t seem to be the right place... something like a dead-end chain passed before everything else, which certain MAC adresses will bypass. I''m thinking of grepping out all the "registered" MAC addresses from my DHCP config automatically, to make wlan and empty ethernet socket hi-jacking a bit trickier. It won''t stop a determined leecher, but filters out 99%+ of the normal attempts /magnus
On Thu, 25 Apr 2002, Magnus Stenman wrote:> What would be the best (and most efficient) way of *only* allowing > certain MAC addresses in packets arriving to an interface? > > "blacklist" and "common" don''t seem to be the right place... > > something like a dead-end chain passed before everything else, which > certain MAC adresses will bypass. > > > > I''m thinking of grepping out all the "registered" MAC addresses > from my DHCP config automatically, to make wlan and empty ethernet > socket hi-jacking a bit trickier. > >Create /etc/shorewall/start, get out your iptables documentation and add what you think you need. You will probably want to insert the jump to your table in the mangle PREROUTING chain. Be sure to insert it before the Shorewall generated rules. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Wed, 24 Apr 2002, Tom Eastep wrote:> > Create /etc/shorewall/start, get out your iptables documentation and add > what you think you need. You will probably want to insert the jump to your > table in the mangle PREROUTING chain.I of course meant "jump to your chain". -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net