MAC filter on server - Firewalls

This is a discussion on MAC filter on server - Firewalls ; I want to use a MAC address filter to allow only approved users to access an FTP server (Linux). The configuration is me BEFSR41(NATandDHTP) ATA(w.NAT) CABLEMODEM ---- ----BEFSR41(MAC filter?) #1Bridge#2 SWITCH FTPserver "Bridge" is PC with Win XP pro sp2 ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: MAC filter on server

  1. MAC filter on server


    I want to use a MAC address filter to allow only approved
    users to access an FTP server (Linux).

    The configuration is

    me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----

    ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver

    "Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100,
    #2:10/100/1000)


    Can this be done?

  2. Re: MAC filter on server

    In article ,
    Rick Merrill wrote:

    >I want to use a MAC address filter to allow only approved
    >users to access an FTP server (Linux).


    >The configuration is


    >me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
    >----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver


    >"Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100,
    >#2:10/100/1000)


    MAC addresses are not preserved through IP routing, and are
    not preserved through IPSec IP.

    If the MACs you want to filter on are the ones at "me", then in
    order to have them reach "MAC filter", you would have to use
    a Layer 2 VPN, which is not available on the BEFSR41 itself.

  3. Re: MAC filter on server

    Walter Roberson wrote:
    > In article ,
    > Rick Merrill wrote:
    >
    >> I want to use a MAC address filter to allow only approved
    >> users to access an FTP server (Linux).

    >
    >> The configuration is

    >
    >> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
    >> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver

    >
    >> "Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100,
    >> #2:10/100/1000)

    >
    > MAC addresses are not preserved through IP routing, and are
    > not preserved through IPSec IP.
    >
    > If the MACs you want to filter on are the ones at "me", then in
    > order to have them reach "MAC filter", you would have to use
    > a Layer 2 VPN, which is not available on the BEFSR41 itself.


    Thank you, that's what I needed to know (and feared).

    Is there any way to do an IP filter? (short of a VPN which I fear would
    require changes at the end user (me and a few others).


  4. Re: MAC filter on server

    In article <6dednbNzq9asoiDYnZ2dnUVZ_v2dnZ2d@comcast.com>,
    Rick Merrill wrote:
    >Walter Roberson wrote:
    >> In article ,
    >> Rick Merrill wrote:


    >>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
    >>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver


    >Is there any way to do an IP filter? (short of a VPN which I fear would
    >require changes at the end user (me and a few others).


    Do you all have static IP addresses? I note you have a cable modem
    in the mix; in these parts, unless you pay extra, you do not receive
    a static IP on residental broadband connections. (The cable IPs
    here don't change all that often, but do change; the DSL connections
    here change IPs at least once a week.)

    I don't know what the filtering capabilities of the BEFSR41 are.
    The filters on the BEFVP41 have to do with blocking -outgoing-
    access; if I recall correctly the filters on the BEFW11S4 are
    very similar (I don't have mine plugged in right at the moment.)
    My understanding is that the BEFSR41 is very similar to the
    BEFW11S4 except with no wireless.

    The easiest place to put in the IP filters would likely be the FTP
    server... but first you have to be sure that the IPs aren't going
    to vary (and that there isn't any legitimate reason to reach the
    FTP server when, for example, you are visiting your folks for
    the holidays.)


  5. Re: MAC filter on server

    Walter Roberson wrote:
    > In article <6dednbNzq9asoiDYnZ2dnUVZ_v2dnZ2d@comcast.com>,
    > Rick Merrill wrote:
    >> Walter Roberson wrote:
    >>> In article ,
    >>> Rick Merrill wrote:

    >
    >>>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
    >>>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver

    >
    >> Is there any way to do an IP filter? (short of a VPN which I fear would
    >> require changes at the end user (me and a few others).

    >
    > Do you all have static IP addresses? I note you have a cable modem
    > in the mix; in these parts, unless you pay extra, you do not receive
    > a static IP on residental broadband connections. (The cable IPs
    > here don't change all that often, but do change; the DSL connections
    > here change IPs at least once a week.)
    >
    > I don't know what the filtering capabilities of the BEFSR41 are.
    > The filters on the BEFVP41 have to do with blocking -outgoing-
    > access; if I recall correctly the filters on the BEFW11S4 are
    > very similar (I don't have mine plugged in right at the moment.)
    > My understanding is that the BEFSR41 is very similar to the
    > BEFW11S4 except with no wireless.
    >
    > The easiest place to put in the IP filters would likely be the FTP
    > server... but first you have to be sure that the IPs aren't going
    > to vary (and that there isn't any legitimate reason to reach the
    > FTP server when, for example, you are visiting your folks for
    > the holidays.)
    >


    True, we have "dynamic" IP addresses, but mine has not changed in 6
    months and since our region is not in active buildout further changes
    are unanticipated - we'll just cross that bridge when we come to it.
    No, there's no need to access the server from Aunt Nettie's house.

    Unfortunately the Linux server is '3rd party' and inaccessible, at least
    not without voiding the warranty :-) or should that be :-{
    Now maybe someone can tell me how to block IP with Linux ...

    Can any router or firewall block IP addresses for incoming traffic?



  6. Re: MAC filter on server

    In article <2ZOdnaPWg4tMwyDYnZ2dnUVZ_vOdnZ2d@comcast.com>,
    Rick Merrill wrote:
    >>>> In article ,
    >>>> Rick Merrill wrote:


    >>>>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
    >>>>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver


    >Can any router or firewall block IP addresses for incoming traffic?


    Well, the better ones.

    I was going to say that "any firewall can do it", but these
    days what are sold as "firewalls" to the consumer are not
    necessarily very configurable.

    Selective service by IP is very common in real firewalls, and not
    uncommon in real routers. For example, as best I recall, it can
    be done with all of the routers sold under the Cisco brand name
    (except perhaps some of the early SOHO series); I am not familiar
    with the newer Linksys-branded Cisco devices to know if any of them
    support it.

  7. Re: MAC filter on server

    Walter Roberson wrote:
    > In article <2ZOdnaPWg4tMwyDYnZ2dnUVZ_vOdnZ2d@comcast.com>,
    > Rick Merrill wrote:
    >>>>> In article ,
    >>>>> Rick Merrill wrote:

    >
    >>>>>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
    >>>>>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver

    >
    >> Can any router or firewall block IP addresses for incoming traffic?

    >
    > Well, the better ones.
    >
    > I was going to say that "any firewall can do it", but these
    > days what are sold as "firewalls" to the consumer are not
    > necessarily very configurable.
    >
    > Selective service by IP is very common in real firewalls, and not
    > uncommon in real routers. For example, as best I recall, it can
    > be done with all of the routers sold under the Cisco brand name
    > (except perhaps some of the early SOHO series); I am not familiar
    > with the newer Linksys-branded Cisco devices to know if any of them
    > support it.


    I see I deluded myself about the Linksys capabilities. Thanks for
    putting me straight!

    I "spoke with" the Indian/Packistani at the Linksys/Cisco support group
    and he said I could block IP, but now I see that there was a
    misunderstanding of which direction I was talking about!

    Is there any s/w that could run on the "bridge" above that could block
    all traffic that did not match a list of IP addresses?


  8. Re: MAC filter on server

    Rick Merrill wrote:
    > I want to use a MAC address filter to allow only approved
    > users to access an FTP server (Linux).
    >
    > The configuration is
    >
    > me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
    >
    > ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
    >
    > "Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100,
    > #2:10/100/1000)
    >
    >
    > Can this be done?


    Not without major pains, and it would be rather pointless anyway,
    because MAC addresses can be spoofed most easily. If you want to approve
    users: use proper authentication.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  9. Re: MAC filter on server

    In article ,
    Rick Merrill wrote:

    >>>>>>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
    >>>>>>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver


    [Where Bridge is a Windows XP PC with two NICs]


    >Is there any s/w that could run on the "bridge" above that could block
    >all traffic that did not match a list of IP addresses?


    How did you configure briding on the XP? The most natural way
    to configure that connection would be to use routing instead of
    briding. The way to configure bridging on XP doesn't spring to my
    mind at the moment.

    You could possibly use something a simple as Windows XP Firewall.

    The way to put on ip filters on Linux depends on the Linux version,
    I believe. These pages might help:
    http://www.netfilter.org/
    http://www.linuxfirewall.com/

  10. Re: MAC filter on server

    Ansgar -59cobalt- Wiechers wrote:
    > Rick Merrill wrote:
    >> I want to use a MAC address filter to allow only approved
    >> users to access an FTP server (Linux).
    >>
    >> The configuration is
    >>
    >> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
    >>
    >> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
    >>
    >> "Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100,
    >> #2:10/100/1000)
    >>
    >>
    >> Can this be done?

    >
    > Not without major pains, and it would be rather pointless anyway,
    > because MAC addresses can be spoofed most easily. If you want to approve
    > users: use proper authentication.


    And I've learned that MAC addresses do not get routed over the internet.

    How do you do authenticate an IP address (the only id of the source)
    that is simpler than using an IP filter?

  11. Re: MAC filter on server

    Rick Merrill wrote:
    > How do you do authenticate an IP address


    http://standards.ieee.org/getieee802...02.1X-2004.pdf

    Yours,
    VB.
    --
    "Pornography is an abstract phenomenon. It cannot exist without a medium
    to propagate it, and it has very little (if anything at all) to do with sex."
    Tina Lorenz


  12. Re: MAC filter on server

    Volker Birk wrote:
    > Rick Merrill wrote:
    >> How do you do authenticate an IP address

    >
    > http://standards.ieee.org/getieee802...02.1X-2004.pdf
    >
    > Yours,
    > VB.



    Good ol' 802.1 ... let me rephrase my question: is there

    any software that implements this?


  13. Re: MAC filter on server

    In article ,
    Rick Merrill wrote:
    >Volker Birk wrote:
    >> Rick Merrill wrote:
    >>> How do you do authenticate an IP address

    >> http://standards.ieee.org/getieee802...02.1X-2004.pdf


    >Good ol' 802.1 ... let me rephrase my question: is there
    >any software that implements this?


    Yes. There are, for example, Cisco clients... if you were
    using a Cisco VPN server.

    The following might be of assistance:
    http://whitepapers.techrepublic.com....x?&docid=88367

    IEEE 802.1x Authentication Client in Microsoft Windows for Wireless and Wired Networks


    I suspect you will find that setting this all up is a lot more
    trouble than the alternatives.


  14. Re: MAC filter on server

    Rick Merrill wrote:
    > Volker Birk wrote:
    > > Rick Merrill wrote:
    > >> How do you do authenticate an IP address

    > > http://standards.ieee.org/getieee802...02.1X-2004.pdf

    > Good ol' 802.1 ... let me rephrase my question: is there
    > any software that implements this?


    Yes, lot's of hardware and software do implement this. Perhaps you want
    to try a searching engine.

    Yours,
    VB.
    --
    "Pornography is an abstract phenomenon. It cannot exist without a medium
    to propagate it, and it has very little (if anything at all) to do with sex."
    Tina Lorenz


  15. Re: MAC filter on server

    Volker Birk wrote:
    > Rick Merrill wrote:
    >> Volker Birk wrote:
    >>> Rick Merrill wrote:
    >>>> How do you do authenticate an IP address
    >>> http://standards.ieee.org/getieee802...02.1X-2004.pdf

    >> Good ol' 802.1 ... let me rephrase my question: is there
    >> any software that implements this?

    >
    > Yes, lot's of hardware and software do implement this. Perhaps you want
    > to try a searching engine.
    >
    > Yours,
    > VB.



    My search engine got me to this group ;-)

    I want to block any IP that's not pre-approved or is unauthenticated.
    I want to use hardware or WinXP-pro-sp2 software
    I would rather Not use a VPN.
    I want something that is bonehead simple
    (even if I have a degree from MIT)

    - RM



  16. Re: MAC filter on server

    Rick Merrill wrote:

    >>>>> How do you do authenticate an IP address
    >>>> http://standards.ieee.org/getieee802...02.1X-2004.pdf
    >>> Good ol' 802.1 ... let me rephrase my question: is there
    >>> any software that implements this?

    >>
    >> Yes, lot's of hardware and software do implement this. Perhaps you want
    >> to try a searching engine.
    >>
    >> Yours,
    >> VB.

    >
    > My search engine got me to this group ;-)
    >
    > I want to block any IP that's not pre-approved or is unauthenticated.
    > I want to use hardware or WinXP-pro-sp2 software
    > I would rather Not use a VPN.
    > I want something that is bonehead simple
    > (even if I have a degree from MIT)


    And I want you to rethink your concept.

    What about FTPS with proper user authentication? Just let all the
    connections from unapproved IP come through, as long as they can't
    authenticate your server should deny every access.

  17. Re: MAC filter on server

    Rick Merrill wrote:
    > Volker Birk wrote:
    > > Rick Merrill wrote:
    > >> Volker Birk wrote:
    > >>> Rick Merrill wrote:
    > >>>> How do you do authenticate an IP address
    > >>> http://standards.ieee.org/getieee802...02.1X-2004.pdf
    > >> Good ol' 802.1 ... let me rephrase my question: is there
    > >> any software that implements this?

    > > Yes, lot's of hardware and software do implement this. Perhaps you want
    > > to try a searching engine.

    > My search engine got me to this group ;-)


    Maybe you want to try Google, Yahoo or MSN then :-P

    > I want to block any IP that's not pre-approved or is unauthenticated.


    Then configure your switching hardware.

    > I want something that is bonehead simple


    OMN!

    Yours,
    VB.
    --
    "Pornography is an abstract phenomenon. It cannot exist without a medium
    to propagate it, and it has very little (if anything at all) to do with sex."
    Tina Lorenz


+ Reply to Thread