[Firehol-support] MAC filtering
John.Dalton at varrqnuht.net
Mon Mar 26 03:15:02 BST 2007
This will almost certainly not work on your campus wireless network,
as you very likely won't be in the same ethernet segment (or VLAN) as
your office PC.
Why not use SSH with key-based authentication instead, and disable
password auth? This way nobody can get in via SSH unless they have
your key, and if you only keep the key on your laptop then you
achieve the same effect as locking it down by MAC address would.
Google for "ssh key authentication", but this link looks good:
If you still want to use FireHOL to prevent even attempted
connections from other hosts, you could restrict ssh access to your
home and campus networks (for example), knowing that you have the
added restriction of key authentication on top of that.
Restarting FireHOL to allow your IP to connect may present a problem
when you are attempting to connect from the IP you want to allow. ;)
I hope this helps!
On 25/03/2007, at 11:21 PM, Ryan Krauss wrote:
> Thanks Carlos. That worked really easily on my home network - my
> laptop can connect to the desktop and my wife's can't. I will try it
> Monday at work and see if I have the problem you mentioned about the
> desktop not seeing the MAC because of routing between them. It sounds
> like it probably won't work and I will just have to restart FireHOL
> each time when I know the IP assigned to my laptop.
> On 3/25/07, Carlos Rodrigues <carlos.efr at mail.telepac.pt> wrote:
>> On 3/25/07, Ryan Krauss <ryanlists at gmail.com> wrote:
>>> I want to use ssh with unison between my laptop and my office
>>> computer. Both have DHCP IP's. The laptop is connecting through
>>> campus wide wireless network. I would like to open ssh only to my
>>> laptop. Can I do this based on the MAC address of my laptop, since
>>> its IP will change frequently? If this is possible, can someone
>>> me a simple example please. Basically, I want a rule that my
>>> would only accept ssh from the MAC address of my laptop.
>> route ssh accept mac "00:11:22:33:44:55:66"
>> However, this only works if both machines are on the same ethernet
>> segment. If there's any routing between them, the desktop won't see
>> the laptop's MAC address and there's no way around this.
>> Carlos Rodrigues
More information about the Firehol-support