1. Home
  2. Networking Firewalls
  3. Layer 2 Filtering Project......

Layer 2 Filtering Project......

Is there anyone who knows how to implement this project, what r the necessary thing to be considered for this.....

The idea of this project is to implement a filter at layer 2 (Ethernet). The user will be given a command line utility and he can add and remove rules into this filter. Depending on the rule decision needs to be made on the current Ethernet frame. Following is the specification:

  1. The L2F gets started when the Linux Kernel boots up. 2. The user is given a command line utility with the following syntax: 1. -add -s -d -a 3. Once the user enters adds the rule the L2f will add a node to its internal linked list. The L2F need to capture the Ethernet frame and extract source and destination mac addresses. If it matches any of the existing rules it should perform that action. The linked list should take care of all error conditions.
Reply to
abhils44
Loading thread data ...

What exactly are you trying to accomplish?

You probably want to be looking in comp.os.linux.networking. The existing net-filter code has Source MAC filtering (see the IP-Masquerade-HOWTO for details), and I'm not sure what Destination filtering would do.

REJECT!!! The user should have _NOTHING_ to do with this - that is a kernel level function.

In theory, it is part of the kernel, but you'd want to start this when networking is started, as is done with the current firewall mechanisms.

Normally, this is handled with the existing firewall setup. I can see a benefit of source address filtering, but what do you hope to do with destination filtering. Example - you want to send to 192.0.2.22 which has a MAC of DE:AD:BE:EF (although the network stack doesn't know that yet), so the stack would ARP for this, and the source MAC filtering would drop the ARP reply...

Yeah, that already happens, but I'm wondering what your requirement is. The MAC address is only used on the local segment (and on certain PPP-over- links), and is trivial to spoof. Have you lost control of your LAN? Additionally, I'm wondering why this would be a _user_ function, as most users can't even spell MAC, much less have a concept of what it's used for.

Old guy

Reply to
Moe Trin

Sounds like a perfect candidate for the ebtables project. Here's the URL:

formatting link
Good Luck. Thomas R. Jones

Reply to
Secure Buddha

Hello there,

OpenBSD can do that with pfctl, as well as linux. If you look for a commercial product, Cisco can also do it either in switch/routers (access-list), or with transparent firewalling.

Regards, jF

a écrit dans le message de news: snipped-for-privacy@i3g2000cwc.googlegroups.com...

Reply to
Jean-François Gobin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.