This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MAC Address Filtering

Is it possible with ASL V5 to block a given MAC address so that it has no access to the Internet, or the VPN tunnel?

I found in the documentation how to do it on a wireless interface, but I want to set it up on the wired ethernet.

There is only 6 machines that should be allowed to connect through this particular ASL box. I would like to set up a positive filter to only allow these 6 MAC addresses.

This thread was automatically locked due to age.

Parents

0 JimmyM over 21 years ago

You can't do it with iptables (ASL). You'd need ebtables.
Cancel
Vote Up 0 Vote Down

Cancel
0 ineappleP over 21 years ago in reply to JimmyM

Thanks Jim, for the quick response.

Too bad it wasn't the response I was hoping for. Can you think of any other way to accomplish this?

I was thinking that I could just add a DHCP reservation for the MAC that gives it a bogus IP, but obviously a clever user could work around that very easily.

Fortuneatly most of our users aren't that clever.
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 21 years ago in reply to ineappleP

give it an ip then add a block all rule in the packet filter for that ip address..[[:)]] But keep in mind softwre can be installed to spoof the MAC addess of their choosing..[[:)]]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 William Warren over 21 years ago in reply to ineappleP

give it an ip then add a block all rule in the packet filter for that ip address..[[:)]] But keep in mind softwre can be installed to spoof the MAC addess of their choosing..[[:)]]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 ineappleP over 21 years ago in reply to William Warren

Great idea.

That's more what I was looking for. I'll give it a try today.
Cancel
Vote Up 0 Vote Down

Cancel
0 martindw over 21 years ago in reply to ineappleP

This will be particularly useful if your clients are W2K or XP and don't have admin rights on their computers. Then they can't change the IP settings you give them. . .on 9x all bets are off if they learn anything about TCP/IP configuration.
Cancel
Vote Up 0 Vote Down

Cancel
0 bce over 21 years ago in reply to martindw

yes, and i think its easier for them to change the ip than the mac.
Cancel
Vote Up 0 Vote Down

Cancel