[Firehol-support] MAC filtering

Ryan Krauss ryanlists at gmail.com
Mon Mar 26 04:25:33 CEST 2007


Thanks John.  I will look into that.  It sounds like I can acheive
almost the same effect.

When I said restart FireHOL, I meant I would do it while sitting at my
desk so that I can be on either computer.  So, I wouldn't be trying to
do it remotely through ssh.

Ryan

On 3/25/07, John Dalton <John.Dalton at varrqnuht.net> wrote:
> Hi Ryan,
>
> This will almost certainly not work on your campus wireless network,
> as you very likely won't be in the same ethernet segment (or VLAN) as
> your office PC.
>
> Why not use SSH with key-based authentication instead, and disable
> password auth?  This way nobody can get in via SSH unless they have
> your key, and if you only keep the key on your laptop then you
> achieve the same effect as locking it down by MAC address would.
>
> Google for "ssh key authentication", but this link looks good:
>    http://sial.org/howto/openssh/publickey-auth/
>
> If you still want to use FireHOL to prevent even attempted
> connections from other hosts, you could restrict ssh access to your
> home and campus networks (for example), knowing that you have the
> added restriction of key authentication on top of that.
>
> Restarting FireHOL to allow your IP to connect may present a problem
> when you are attempting to connect from the IP you want to allow. ;)
>
> I hope this helps!
>
> Yours,
>
> John
>
>
> On 25/03/2007, at 11:21 PM, Ryan Krauss wrote:
>
> > Thanks Carlos.  That worked really easily on my home network - my
> > laptop can connect to the desktop and my wife's can't.  I will try it
> > Monday at work and see if I have the problem you mentioned about the
> > desktop not seeing the MAC because of routing between them.  It sounds
> > like it probably won't work and I will just have to restart  FireHOL
> > each time when I know the IP assigned to my laptop.
> >
> > On 3/25/07, Carlos Rodrigues <carlos.efr at mail.telepac.pt> wrote:
> >> On 3/25/07, Ryan Krauss <ryanlists at gmail.com> wrote:
> >>> I want to use ssh with unison between my laptop and my office
> >>> computer.  Both have DHCP IP's.  The laptop is connecting through
> >>> the
> >>> campus wide wireless network.  I would like to open ssh only to my
> >>> laptop.  Can I do this based on the MAC address of my laptop, since
> >>> its IP will change frequently?  If this is possible, can someone
> >>> give
> >>> me a simple example please.  Basically, I want a rule that my
> >>> desktop
> >>> would only accept ssh from the MAC address of my laptop.
> >>
> >> route ssh accept mac "00:11:22:33:44:55:66"
> >>
> >> However, this only works if both machines are on the same ethernet
> >> segment. If there's any routing between them, the desktop won't see
> >> the laptop's MAC address and there's no way around this.
> >>
> >> --
> >> Carlos Rodrigues
> >>
>
>




More information about the Firehol-support mailing list