Allowing access only some sites - onely some mac address

Derick Anderson danderson at
Tue Aug 30 22:10:34 CEST 2005


> -----Original Message-----
> From: netfilter-bounces at 
> [mailto:netfilter-bounces at] On Behalf Of 
> Taylor, Grant
> Sent: Tuesday, August 30, 2005 1:23 PM
> To: netfilter at
> Subject: Re: Allowing access only some sites - onely some mac address
> > You may also want to consider getting arpwatch. arpwatch 
> will tell you when a particular user changes their MAC 
> address. MAC spoofing, while more difficult than IP spoofing, 
> is still fairly trivial and particularly in this case where 
> you are using a "blacklist" approach for filtering MACs. So 
> if I'm the one with MAC 00:D8:02:D8:C8:DF and I want to get 
> around your rules, I'll get a utility to change my MAC to 
> something that won't trigger your firewall rule, like 
> 10:D8:02:D8:C8:DF, which I can be sure won't collide with 
> another MAC for quite some time.
> > 
> > If the particular users you are trying to filter for aren't very 
> > technical then I wouldn't worry but after two years of being a lab 
> > assistant/server admin for a network security class I tend to be a 
> > little paranoid. =)
> You are absolutely correct.  So my immediate response to this 
> is do the exact opposite, have the MAC of the computers that 
> are allowed to access any thing other than the sites in 
> question.  As far as needing ARP watch to look for changes in 
> IP, you could watch for the MAC and IP pair of allowed 
> systems.  Sure people could still get around this but they 
> will be breaking other things too.
> Grant. . . .

Yes, that is the best way to do things. The university I graduated from
implemented whitelist MAC-based network access very effectively and
would kill your port if you tried getting around it. Having managed
switches helped quite a bit.


More information about the netfilter mailing list