[Firehol-support] MAC filtering

John Dalton John.Dalton at varrqnuht.net
Mon Mar 26 03:15:02 BST 2007 

Hi Ryan,

This will almost certainly not work on your campus wireless network,  
as you very likely won't be in the same ethernet segment (or VLAN) as  
your office PC.

Why not use SSH with key-based authentication instead, and disable  
password auth?  This way nobody can get in via SSH unless they have  
your key, and if you only keep the key on your laptop then you  
achieve the same effect as locking it down by MAC address would.

Google for "ssh key authentication", but this link looks good:
   http://sial.org/howto/openssh/publickey-auth/

If you still want to use FireHOL to prevent even attempted  
connections from other hosts, you could restrict ssh access to your  
home and campus networks (for example), knowing that you have the  
added restriction of key authentication on top of that.

Restarting FireHOL to allow your IP to connect may present a problem  
when you are attempting to connect from the IP you want to allow. ;)

I hope this helps!

Yours,

John


On 25/03/2007, at 11:21 PM, Ryan Krauss wrote:

> Thanks Carlos.  That worked really easily on my home network - my
> laptop can connect to the desktop and my wife's can't.  I will try it
> Monday at work and see if I have the problem you mentioned about the
> desktop not seeing the MAC because of routing between them.  It sounds
> like it probably won't work and I will just have to restart  FireHOL
> each time when I know the IP assigned to my laptop.
>
> On 3/25/07, Carlos Rodrigues <carlos.efr at mail.telepac.pt> wrote:
>> On 3/25/07, Ryan Krauss <ryanlists at gmail.com> wrote:
>>> I want to use ssh with unison between my laptop and my office
>>> computer.  Both have DHCP IP's.  The laptop is connecting through  
>>> the
>>> campus wide wireless network.  I would like to open ssh only to my
>>> laptop.  Can I do this based on the MAC address of my laptop, since
>>> its IP will change frequently?  If this is possible, can someone  
>>> give
>>> me a simple example please.  Basically, I want a rule that my  
>>> desktop
>>> would only accept ssh from the MAC address of my laptop.
>>
>> route ssh accept mac "00:11:22:33:44:55:66"
>>
>> However, this only works if both machines are on the same ethernet
>> segment. If there's any routing between them, the desktop won't see
>> the laptop's MAC address and there's no way around this.
>>
>> --
>> Carlos Rodrigues
>>

More information about the Firehol-support mailing list