I want to use a MAC address filter to allow only approved users to access an FTP server (Linux).
The configuration is
meBEFSR41(NATandDHTP)ATA(w.NAT)CABLEMODEM ----
----BEFSR41(MAC filter?)#1Bridge#2SWITCHFTPserver
"Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100, #2:10/100/1000)
Can this be done?
MAC addresses are not preserved through IP routing, and are not preserved through IPSec IP.
If the MACs you want to filter on are the ones at "me", then in order to have them reach "MAC filter", you would have to use a Layer 2 VPN, which is not available on the BEFSR41 itself.
Thank you, that's what I needed to know (and feared).
Is there any way to do an IP filter? (short of a VPN which I fear would require changes at the end user (me and a few others).
Do you all have static IP addresses? I note you have a cable modem in the mix; in these parts, unless you pay extra, you do not receive a static IP on residental broadband connections. (The cable IPs here don't change all that often, but do change; the DSL connections here change IPs at least once a week.)
I don't know what the filtering capabilities of the BEFSR41 are. The filters on the BEFVP41 have to do with blocking -outgoing- access; if I recall correctly the filters on the BEFW11S4 are very similar (I don't have mine plugged in right at the moment.) My understanding is that the BEFSR41 is very similar to the BEFW11S4 except with no wireless.
The easiest place to put in the IP filters would likely be the FTP server... but first you have to be sure that the IPs aren't going to vary (and that there isn't any legitimate reason to reach the FTP server when, for example, you are visiting your folks for the holidays.)
True, we have "dynamic" IP addresses, but mine has not changed in 6 months and since our region is not in active buildout further changes are unanticipated - we'll just cross that bridge when we come to it. No, there's no need to access the server from Aunt Nettie's house.
Unfortunately the Linux server is '3rd party' and inaccessible, at least not without voiding the warranty :-) or should that be :-{ Now maybe someone can tell me how to block IP with Linux ...
Can any router or firewall block IP addresses for incoming traffic?
Well, the better ones.
I was going to say that "any firewall can do it", but these days what are sold as "firewalls" to the consumer are not necessarily very configurable.
Selective service by IP is very common in real firewalls, and not uncommon in real routers. For example, as best I recall, it can be done with all of the routers sold under the Cisco brand name (except perhaps some of the early SOHO series); I am not familiar with the newer Linksys-branded Cisco devices to know if any of them support it.
I see I deluded myself about the Linksys capabilities. Thanks for putting me straight!
I "spoke with" the Indian/Packistani at the Linksys/Cisco support group and he said I could block IP, but now I see that there was a misunderstanding of which direction I was talking about!
Is there any s/w that could run on the "bridge" above that could block all traffic that did not match a list of IP addresses?
Not without major pains, and it would be rather pointless anyway, because MAC addresses can be spoofed most easily. If you want to approve users: use proper authentication.
cu
59cobalt[Where Bridge is a Windows XP PC with two NICs]
How did you configure briding on the XP? The most natural way to configure that connection would be to use routing instead of briding. The way to configure bridging on XP doesn't spring to my mind at the moment.
You could possibly use something a simple as Windows XP Firewall.
The way to put on ip filters on Linux depends on the Linux version, I believe. These pages might help:
And I've learned that MAC addresses do not get routed over the internet.
How do you do authenticate an IP address (the only id of the source) that is simpler than using an IP filter?
Good ol' 802.1 ... let me rephrase my question: is there
any software that implements this?
Yes. There are, for example, Cisco clients... if you were using a Cisco VPN server.
The following might be of assistance:
I suspect you will find that setting this all up is a lot more trouble than the alternatives.
Yes, lot's of hardware and software do implement this. Perhaps you want to try a searching engine.
Yours, VB.
My search engine got me to this group ;-)
I want to block any IP that's not pre-approved or is unauthenticated. I want to use hardware or WinXP-pro-sp2 software I would rather Not use a VPN. I want something that is bonehead simple (even if I have a degree from MIT)
- RM
And I want you to rethink your concept.
What about FTPS with proper user authentication? Just let all the connections from unapproved IP come through, as long as they can't authenticate your server should deny every access.
Maybe you want to try Google, Yahoo or MSN then :-P
Then configure your switching hardware.
OMN!
Yours, VB.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.