* MAC Address filter on wireless interface
@ 2006-03-13 14:23 Steve Comfort
2006-03-13 15:02 ` Cedric Blancher
0 siblings, 1 reply; 3+ messages in thread
From: Steve Comfort @ 2006-03-13 14:23 UTC (permalink / raw)
To: netfilter
Hi All,
I have been trying to get MAC address filtering to work on our wireless
card - so far without success :
The rules I am using are listed below :
for M in $(cat /etc/mac.allow) ; do
$IPT -A INPUT -i $WIFI_IF -m mac --mac_source $M -j ACCEPT
done
for M in $(cat /etc/mac.allow) ; do
$IPT -A INPUT -i $WIFI_IF -m mac --mac-source ! $M -j DROP
done
(I do have CONFIG_IP_NF_MATCH_MAC turned on).
I'm running on an ARM processor with kernel 2.4.21-rmk1
Is it in fact possible to filter on MAC addresses over a WiFi interface,
or am I doing something stupid?
Best regards
Steve Comfort
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: MAC Address filter on wireless interface
2006-03-13 14:23 MAC Address filter on wireless interface Steve Comfort
@ 2006-03-13 15:02 ` Cedric Blancher
[not found] ` <4416608F.1050008@4dllc.com>
0 siblings, 1 reply; 3+ messages in thread
From: Cedric Blancher @ 2006-03-13 15:02 UTC (permalink / raw)
To: Steve Comfort; +Cc: netfilter
Le lundi 13 mars 2006 à 16:23 +0200, Steve Comfort a écrit :
> I have been trying to get MAC address filtering to work on our wireless
> card - so far without success :
You should describe the problem. What's not working ? Everything goes
through ? Nothing goes through ?
> for M in $(cat /etc/mac.allow) ; do
> $IPT -A INPUT -i $WIFI_IF -m mac --mac-source ! $M -j DROP
> done
Probable typo here. Do you mean /etc/mac.deny ?
Another hint that comes to mind. Do you really want to filter traffic
destined to this particular box, which is what you do using INPUT
chain ? If you want to filter traffic going through the box, you have to
use FORWARD chain.
> Is it in fact possible to filter on MAC addresses over a WiFi interface,
> or am I doing something stupid?
Yes it is possible, but you have to consider the fact that MAC filtering
is a very limited feature on y WiFi network. MAC spoofing is very easy
(ifconfig $WIFI_IF hw ether $NEW_MAC) on most drivers and does not cause
any problem or conflict as long as you don't use the IP the guy you're
spoofing does. Thus, you MAC filter can be bypassed very easily...
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-03-14 7:59 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-13 14:23 MAC Address filter on wireless interface Steve Comfort
2006-03-13 15:02 ` Cedric Blancher
[not found] ` <4416608F.1050008@4dllc.com>
2006-03-14 7:59 ` Cedric Blancher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.