[SLUG] Re: hosts.allow/deny by MAC instead of IP

From: Bryan J. Smith (b.j.smith@ieee.org)
Date: Thu Nov 18 2004 - 00:32:50 EST


On Wed, 2004-11-17 at 15:00, Mike Branda wrote:
> O.K. I've just found a site that explains that hosts.allow/deny doesn't
> get looked over till after the IP layer

Correct. In fact, hence the name TCP wrappers, it largely focuses on
the transport layer / port addresses (layer 4), in addition to the
network layer / IP address (layer 3).

> which is after the Ethernet layer. Does anybody have an idea as to how
> to get around this another way??

The NetFilter subsystem allows all sorts of filtering on data link /
frame address/service (layer 2) layer in the Linux kernel. In a
nutshell, NetFilter not only has basic routing capabilities (which
iproute and iptables are good interfaces too), but even bridging
capabilities. Other operating system kernels may or may not have
similar layer 2 functionality (I'm fairly certain BSD's pf does though,
but I could be wrong).

The "mac" option in the "iptables" user-space command interface to
NetFilter is probably the direct route. I haven't personally written a
rule to take advantage of it, but it shouldn't be too are to write one
for any INPUT chain.

See "man 8 iptables" as well as various IPTables HOWTOs/FAQs.
Start with the LDP at http://www.tldp.org and search for "iptables mac".

-- 
Bryan J. Smith                                    b.j.smith@ieee.org 
-------------------------------------------------------------------- 
Subtotal Cost of Ownership (SCO) for Windows being less than Linux
Total Cost of Ownership (TCO) assumes experts for the former, costly
retraining for the latter, omitted "software assurance" costs in 
compatible desktop OS/apps for the former, no free/legacy reuse for
latter, and no basic security, patch or downtime comparison at all.

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:19:46 EDT