[TCLUG] Bridging Firewall filtering by MAC address?

[Mike Hicks]

I'm curious if anyone out there knows if it's possible to put together a
bridging firewall in Linux or *BSD that can have a list of MAC addresses
to permit through the bridge, and all others would be dropped.  Actually,
it would be preferable to be able to filter based on MAC address and by
what ethernet port it came in on.  I think most bridging firewall patches
I've seen will only allow you to filter the bridge as one big chunk,
rather than by interface, but I may be mistaken.

Note that an ethernet bridge usually bypasses the TCP/IP stack (I think
bridging works at a lower layer in the standard Taco Bell model than most
filtering systems), so special patches would probably be required for it
to work.

At work, we need to be able to filter out some wireless traffic.  The
802.11 bridges can supposedly do this, but there are several of them, and
keeping the allowed addresses in sync could be a pain.  Additionally, the
wireless bridges we have only have a small amount of memory, so large
tables could pose a problem.

If worse comes to worse, I imagine we'll just have to carve out a new
subnet.  Filtering on an actual router appears to be much easier than on a
bridge.

-- 
 _  _  _  _ _  ___    _ _  _  ___ _ _  __   Computer Lie #1: You'll 
/ \/ \(_)| ' // ._\  / - \(_)/ ./| ' /(__   never use all that disk  
\_||_/|_||_|_\\___/  \_-_/|_|\__\|_|_\ __)  space. 
[ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088 at tc.umn.edu ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20010607/736689d2/attachment.pgp