Allowing access only some sites - onely some mac address

Taylor, Grant gtaylor at
Tue Aug 30 19:22:46 CEST 2005

> You may also want to consider getting arpwatch. arpwatch will tell you when a particular user changes their MAC address. MAC spoofing, while more difficult than IP spoofing, is still fairly trivial and particularly in this case where you are using a "blacklist" approach for filtering MACs. So if I'm the one with MAC 00:D8:02:D8:C8:DF and I want to get around your rules, I'll get a utility to change my MAC to something that won't trigger your firewall rule, like 10:D8:02:D8:C8:DF, which I can be sure won't collide with another MAC for quite some time.
> If the particular users you are trying to filter for aren't very technical then I wouldn't worry but after two years of being a lab assistant/server admin for a network security class I tend to be a little paranoid. =)

You are absolutely correct.  So my immediate response to this is do the exact opposite, have the MAC of the computers that are allowed to access any thing other than the sites in question.  As far as needing ARP watch to look for changes in IP, you could watch for the MAC and IP pair of allowed systems.  Sure people could still get around this but they will be breaking other things too.

Grant. . . .

More information about the netfilter mailing list