From: Dash Four <mr.dash.four@googlemail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Dabase BAcked IPTables
Date: Sun, 30 Jun 2013 13:13:57 +0100 [thread overview]
Message-ID: <51D02105.4070201@googlemail.com> (raw)
In-Reply-To: <CAGWRaZaWGwQ1KcdXXLN-fVCOVJzMa83s7_1h9eBcBnzQZK1bcQ@mail.gmail.com>
Nick Khamis wrote:
>>> The MAC address is only used on local links. The MAC address of a packet
>>> arriving at your firewall or perimeter router is that of the router at the
>>> other (ISP) end of your link.
>>>
>
> Our client application adds a P-Assertion to the SIP message
> indicating the mac of
> the requesting client. Now, I am not sure how we can tie that into
> "--src" of IPTables.
>
If you need to capture embedded MAC addresses in that header you would
need to analyse the SIP packet - not a trivial thing to do by any means.
Even then, what's stopping, say, an adversary from crafting a packet
with a "legitimate" MAC address embedded in that header.
Even if you match IP and MAC addresses together, that won't be 100%
secure as these could be easily forged.
Since your clients are using an application you provide, why don't you
secure the signalling using PKI - that way you could distribute a
certificate with the client. The server on your side of the connection
won't accept it unless a secure handshake has been established - job done.
OK, that won't prevent you from somebody ddos-ing you, but you could
easily protect yourself from this using standard iptables tools.
next prev parent reply other threads:[~2013-06-30 12:13 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-28 15:01 Dabase BAcked IPTables Nick Khamis
2013-06-28 15:12 ` Ricardo Klein
2013-06-29 18:19 ` Jozsef Kadlecsik
2013-06-29 20:10 ` Andrew Beverley
2013-06-29 20:39 ` Nick Khamis
2013-06-29 21:00 ` Neal Murphy
2013-06-29 23:12 ` Nick Khamis
2013-06-30 12:13 ` Dash Four [this message]
2013-06-30 13:27 ` Nick Khamis
2013-06-28 23:19 ` /dev/rob0
2013-06-29 0:00 ` Ricardo Klein
2013-06-29 0:05 ` Nick Khamis
2013-06-29 0:28 ` /dev/rob0
2013-06-29 1:21 ` Nick Khamis
2013-06-29 14:47 ` Eliezer Croitoru
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51D02105.4070201@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.