Re: I want to have my cake and eat it too

To: Jonathan Oxer <jon@ivt.com.au>
Cc: debian-firewall@lists.debian.org
Subject: Re: I want to have my cake and eat it too
From: Stefan Radomski <sr@oop.info>
Date: 02 Apr 2003 14:12:30 +0200
Message-id: <[🔎] 1049285551.732.11.camel@hal9000>
In-reply-to: <1049150345.19805.13.camel@debian.org>
References: <5.1.0.14.2.20030331174528.00accb48@mail.westnet.com.au> <1049150345.19805.13.camel@debian.org>

Hi Jonathan,
this is not directly related to the original poster, but I had to
clarify it.

On Tue, 2003-04-01 at 00:39, Jonathan Oxer wrote:
> Even though you didn't ask for it, another thought in passing: provided
> you get this going by whatever means, and depending on how many internal
> machines you have, you could do MAC address matching in iptables to make
> sure only your nominated machines can get to your proper internal
> addresses. In other words, treat your internal network as hostile, not

This gives a false feeling of security, I can bring up my ethernetcard
with any MAC address I want:

ifconfig eth0 hw ether 01:23:45:67:89:AB 192.168.0.1 up

As much as I like MAC matching with iptables, it is just another barrier
and not too hard to circumvent if you watch ARP packets..

Stefan

Reply to:

Follow-Ups:
- Re: I want to have my cake and eat it too
  - From: Jonathan Oxer <jon@ivt.com.au>

Prev by Date: Re: pptp client behind firewall
Next by Date: Re: pptp client behind firewall
Previous by thread: RE: I want to have my cake and eat it too
Next by thread: Re: I want to have my cake and eat it too
Index(es):
- Date
- Thread