From: Dash Four <mr.dash.four@googlemail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Dabase BAcked IPTables
Date: Sun, 30 Jun 2013 13:13:57 +0100 [thread overview]
Message-ID: <51D02105.4070201@googlemail.com> (raw)
In-Reply-To: <CAGWRaZaWGwQ1KcdXXLN-fVCOVJzMa83s7_1h9eBcBnzQZK1bcQ@mail.gmail.com>
Nick Khamis wrote:
>>> The MAC address is only used on local links. The MAC address of a packet
>>> arriving at your firewall or perimeter router is that of the router at the
>>> other (ISP) end of your link.
>>>
>
> Our client application adds a P-Assertion to the SIP message
> indicating the mac of
> the requesting client. Now, I am not sure how we can tie that into
> "--src" of IPTables.
>
If you need to capture embedded MAC addresses in that header you would
need to analyse the SIP packet - not a trivial thing to do by any means.
Even then, what's stopping, say, an adversary from crafting a packet
with a "legitimate" MAC address embedded in that header.
Even if you match IP and MAC addresses together, that won't be 100%
secure as these could be easily forged.
Since your clients are using an application you provide, why don't you
secure the signalling using PKI - that way you could distribute a
certificate with the client. The server on your side of the connection
won't accept it unless a secure handshake has been established - job done.
OK, that won't prevent you from somebody ddos-ing you, but you could
easily protect yourself from this using standard iptables tools.
next prev parent reply other threads:[~2013-06-30 12:13 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-28 15:01 Dabase BAcked IPTables Nick Khamis
2013-06-28 15:12 ` Ricardo Klein
2013-06-29 18:19 ` Jozsef Kadlecsik
2013-06-29 20:10 ` Andrew Beverley
2013-06-29 20:39 ` Nick Khamis
2013-06-29 21:00 ` Neal Murphy
2013-06-29 23:12 ` Nick Khamis
2013-06-30 12:13 ` Dash Four [this message]
2013-06-30 13:27 ` Nick Khamis
2013-06-28 23:19 ` /dev/rob0
2013-06-29 0:00 ` Ricardo Klein
2013-06-29 0:05 ` Nick Khamis
2013-06-29 0:28 ` /dev/rob0
2013-06-29 1:21 ` Nick Khamis
2013-06-29 14:47 ` Eliezer Croitoru
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51D02105.4070201@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox