mac-source matching

Linux Netfilter discussions
 help / color / mirror / Atom feed

* mac-source matching
@ 2004-04-26 18:15 Beau Sapach
  2004-04-26 18:45 ` Patrick Turley
  0 siblings, 1 reply; 2+ messages in thread
From: Beau Sapach @ 2004-04-26 18:15 UTC (permalink / raw)
  To: netfilter

Hello everyone,

I have a system running redhat with kernel 2.4.26 and iptables 1.2.1a that is a 
routing firewall.  If I use the mac-source extension to match packets from the 
internal network (a workstation for which this system is the gateway) it works 
fine, but it won't match packets originating from the outside world.  The rule 
I use is this:

iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT

It could be me, I may be completely misunderstanding how this is supposed to 
work.  I am by no means a guru.... any help would be appreciated, thanks!

Beau

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: mac-source matching
  2004-04-26 18:15 mac-source matching Beau Sapach
@ 2004-04-26 18:45 ` Patrick Turley
  0 siblings, 0 replies; 2+ messages in thread
From: Patrick Turley @ 2004-04-26 18:45 UTC (permalink / raw)
  To: netfilter

Beau Sapach wrote:
> Hello everyone,
> 
> I have a system running redhat with kernel 2.4.26 and iptables 1.2.1a that is a 
> routing firewall.  If I use the mac-source extension to match packets from the 
> internal network (a workstation for which this system is the gateway) it works 
> fine, but it won't match packets originating from the outside world.  The rule 
> I use is this:
> 
> iptables -A FORWARD -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT
> 
> It could be me, I may be completely misunderstanding how this is supposed to 
> work.  I am by no means a guru.... any help would be appreciated, thanks!

Please excuse me if I've misunderstood what you're doing, but this is 
what occurs to me first...

You say that your machine is running a firewall? That means it's 
filtering traffic arriving from the outside world, which I presume means 
that it's connected to a cable modem/DSL/T-1/etc.

MAC addresses (almost) never survive more than one hop. If a packet is 
traveling to your LAN from a server on the other side of the country, 
the MAC address of that server will never be observed at your firewall. 
In fact, it's probably the case that *ALL* the packets arriving at your 
firewall have the same source MAC address - the MAC address of the first 
router upstream from you.

So, it's certainly possible for your firewall to match incoming traffic 
by MAC address, but it is also almost certainly useless to do so.

I hope that helps.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2004-04-26 18:45 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-26 18:15 mac-source matching Beau Sapach
2004-04-26 18:45 ` Patrick Turley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox