[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mac Address Filter

To: misc@openbsd.org
Subject: Re: Mac Address Filter
From: Philipp Buehler <OpenBSD@fips.de>
Date: Fri, 14 Jun 2002 17:59:45 +0200
Mail-Followup-To: misc@openbsd.org
References: <20020608210856.A20912@pohl.fips.de> <0DDA2BA5-7CB3-11D6-9D45-0030657B2A0A@mac.com>

On 13/06/2002, Chris <sea_dragons@mac.com> wrote Cc misc@openbsd.org:
> It is handy for keeping not-very-dedicated would-be theives from using 
> your wireless network for their own net usage without first spending 

*sigh*

OK, go to if_bridge.c and pf.c - think about the amount of
code needed to introduce that feature. I've been there, I've 
worked on it.

Done?

Ok, now think about the amount of people you *can* "keep out" with
that - and for how long.

Done?

Does this match, say, is it worth the effort?

I dont think so.

All I've seen in the few mails describing this need with a scenario
have severe design problems.

You want MAC filtering for wlan? Well, make it a bridge (easier anyway)
and use the mac filter in there.
> time snooping on it.  I know some people who (erroneously) think you 
> need a soldering iron to change MAC IDs, so the technique clearly 
> thwarts some fraction of persons seeking unpermitted access.  
> Foolproof?  Of course not. But it is not useless.  It is one layer to 
> slow down those who would consume resources, and makes other targets 
> look more appetizing.  You don't need to outrun bears, sometimes, just 
> other hikers :-)
> 
> --Chris
> 
> PS some reason to hate MAC-based filtering, of which I should be 
> alerted? :-)
> 
> On Saturday, June 8, 2002, at 02:08  PM, Philipp Buehler wrote:
> 
> > On 08/06/2002, O. Matt <init64@kodee.org> wrote To misc@openbsd.org:
> >> I wonder how I could set up a mac addresses filtering firewall rule on
> >> my little OpenBSD 3.0 server. Any idea ?
> >
> > Why does anyone wants MAC filtering?
> >
> > You'll break more than you would gain in 'security'.
> >
> > One thing you can do is to setup a bridge and use
> > the bpf filtering in there - if you really need to.
> >
> >
> > I'd like to hear some "arguments" why this is so
> > desired.
> >
> > Answers like 'but netfilter has it' are void for me.
> >
> > ciao
> > --
> > Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p>
> >
> > #1: Break the clue barrier!
> > #2: Already had buzzword confuseritis ?
> 
-- 
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p> 

#1: Break the clue barrier!
#2: Already had buzzword confuseritis ?

References:
- Re: Mac Address Filter
  - From: Philipp Buehler <lists@fips.de>
- Re: Mac Address Filter
  - From: Chris <sea_dragons@mac.com>

Prev by Date: Re: List intolerance VS advocacy
Next by Date: Re: List intolerance VS advocacy
Prev by thread: Re: Mac Address Filter
Next by thread: Re: Mac Address Filter
Index(es):
- Date
- Thread