Hi,
Is there any firewall that can specify mac address in addition to IP address in the source/destination? Thanks.
-- Regards, Johnny
Hi,
Is there any firewall that can specify mac address in addition to IP address in the source/destination? Thanks.
-- Regards, Johnny
What do you want to achieve?
Yours, VB.
Yes.
cu
59cobalt
IP address can be easily spoofed, but mac address is harder to spoof. For example, we only want a particular machine to be able to ftp to/from the Interent, but do not want someone unpluging the particular machine from the network, and setting up his PC with that IP address, and ftp to the Internet.
-- Regards, Johnny.
Thanks, do you have the brand and model number? I prefer a hardware firewall.
-- Regards, Johnny.
This is an error. It's as easy to spoof MAC addresses as it is to spoof IP addresses.
Yours, VB.
Any host you plan to filter via mac address would have to be in the same broadcast domain as the internal fire wall port. (same subnet) Else the mac address will be that of the router which is. You may want to look at a FTP proxy to which the privileged internal host must authenticate to.
Netfilter (the packet filter of the Linux kernel) can do that. However, as Volker already told you, if you believe that MAC addresses are any harder to spoof than IP-Addresses you are mistaken.
Virtually every firewall is implemented in software.
cu
59cobalt
If it's so easy then why do some virus writers get caught when they are stupid enough to upload the virus from their own PC?
This has nothing to do with MAC addresses.
Yours, VB.
Actually it is easier My domestic d-link firewall/router has option to clone a MAC address - identify itself as someone else. Takes less than one minute to set up. Many ADSL services are specific to a MAC address, so when you change hardware you do not have to reconfigure your account.
It would take some work to figure out which MAC address to clone, but that is a separate issue.
Johnny Yan wrote: : IP address can be easily spoofed, but mac address is harder to spoof. For : example, we only want a particular machine to be able to ftp to/from the : Interent, but do not want someone unpluging the particular machine from the : network, and setting up his PC with that IP address, and ftp to the : Internet.
Both ip address and mac address can be spoofed. Try rather implementing a 802.1x based solution. Most managed switches of today support it and you'll also need some Radius server and certificates. I bit more complicated, but much more secure.
Lars
Yes Download free Sygate v5.5 b 2710
This is a lousy host-based packet filter, not a firewall.
^^^^^^^^
^^^^^^^^^^^^^
Ummm, is this supposed to be a trick question?
Old guy
You should not use it then!!
And you should not recommend it. Someone might take your advise serious, then messes up his computer with this craptastic software, opening certain remote security vulnerabilities in first place.
Anyway, it should be obvious and has been discussed here that MAC addresses are pretty useless as identification criteria.
Nobody should use it, as it has serious design flaws.
cu
59cobalt
I remember a case some years back where the virus writer was traced to his PC in his home via the IP and MAC address. I beleive it was in the Philipines. Just saying if it is so easy to do why was he caught?
Then tell them what to use. I just use the XP firewall and a router. That's good enough for me.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.