Hi there, I''m not sure if I can do this with shorewall, but any points on the right direction would be of great help... I need to have a LAN with access only enabled to certain set of computers. I was planning on having the dhcp server just give IPs to certain MAC addresses, but if a smart guy configures his computer manually with a valid IP for the LAN he can get access to the LAN anyway. I neeed this guy NOT to access the LAN in ANY WAY unless his eth device is on the MAC list. Can this be accomplish in with shorewall? If not, can someody point me on the right direction to accomplish this? Thanks very much in advance, Ignacio
On Fri, 11 Mar 2005 11:53:58 +0100, Oenus Tech Services <oenustech@oenus.com> wrote:> Hi there,HI> I need to have a LAN with access only enabled to certain set of > computers. I was planning on having the dhcp server just give IPs to > certain MAC addresses, but if a smart guy configures his computer > manually with a valid IP for the LAN he can get access to the LAN > anyway. I neeed this guy NOT to access the LAN in ANY WAY unless his eth > device is on the MAC list. Can this be accomplish in with shorewall?yes RTM: http://www.shorewall.net/MAC_Validation.html If> not, can someody point me on the right direction to accomplish this? > > Thanks very much in advance, >your welcome ;)
Hello Ignacio, Oenus Tech Services said the following on 11-Mar-05 11:53:> I need to have a LAN with access only enabled to certain set of > computers. I was planning on having the dhcp server just give IPs to > certain MAC addresses, but if a smart guy configures his computer > manually with a valid IP for the LAN he can get access to the LAN > anyway. I neeed this guy NOT to access the LAN in ANY WAY unless his eth > device is on the MAC list. Can this be accomplish in with shorewall? If > not, can someody point me on the right direction to accomplish this?Although the combination of matching on mac & ip address is possible it''s still easily spoofable. There might be other ways, if you have network switch that supports 802.1x (Port authentication) you might be able to make it more secure. Although 802.1x is mostly used for wireless, it works in wired environments as well. It can authenticate with username & password but also with a certicate. On windows if you make the certificate non-exportable just swapping the network cable and cloning the mac & ip won''t help the intruder. Stealing the certificate might be possible but not for joe-the-average-hacker. If you don''t have 802.1x support look at http://www.chillispot.org/ also primarly for wireless, but there is no reason this wouldn''t work for wired as well. Good luck! -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>