[Firehol-support] MAC filtering
Ryan Krauss
ryanlists at gmail.com
Mon Mar 26 03:25:33 BST 2007
Thanks John. I will look into that. It sounds like I can acheive
almost the same effect.
When I said restart FireHOL, I meant I would do it while sitting at my
desk so that I can be on either computer. So, I wouldn't be trying to
do it remotely through ssh.
Ryan
On 3/25/07, John Dalton <John.Dalton at varrqnuht.net> wrote:
> Hi Ryan,
>
> This will almost certainly not work on your campus wireless network,
> as you very likely won't be in the same ethernet segment (or VLAN) as
> your office PC.
>
> Why not use SSH with key-based authentication instead, and disable
> password auth? This way nobody can get in via SSH unless they have
> your key, and if you only keep the key on your laptop then you
> achieve the same effect as locking it down by MAC address would.
>
> Google for "ssh key authentication", but this link looks good:
> http://sial.org/howto/openssh/publickey-auth/
>
> If you still want to use FireHOL to prevent even attempted
> connections from other hosts, you could restrict ssh access to your
> home and campus networks (for example), knowing that you have the
> added restriction of key authentication on top of that.
>
> Restarting FireHOL to allow your IP to connect may present a problem
> when you are attempting to connect from the IP you want to allow. ;)
>
> I hope this helps!
>
> Yours,
>
> John
>
>
> On 25/03/2007, at 11:21 PM, Ryan Krauss wrote:
>
> > Thanks Carlos. That worked really easily on my home network - my
> > laptop can connect to the desktop and my wife's can't. I will try it
> > Monday at work and see if I have the problem you mentioned about the
> > desktop not seeing the MAC because of routing between them. It sounds
> > like it probably won't work and I will just have to restart FireHOL
> > each time when I know the IP assigned to my laptop.
> >
> > On 3/25/07, Carlos Rodrigues <carlos.efr at mail.telepac.pt> wrote:
> >> On 3/25/07, Ryan Krauss <ryanlists at gmail.com> wrote:
> >>> I want to use ssh with unison between my laptop and my office
> >>> computer. Both have DHCP IP's. The laptop is connecting through
> >>> the
> >>> campus wide wireless network. I would like to open ssh only to my
> >>> laptop. Can I do this based on the MAC address of my laptop, since
> >>> its IP will change frequently? If this is possible, can someone
> >>> give
> >>> me a simple example please. Basically, I want a rule that my
> >>> desktop
> >>> would only accept ssh from the MAC address of my laptop.
> >>
> >> route ssh accept mac "00:11:22:33:44:55:66"
> >>
> >> However, this only works if both machines are on the same ethernet
> >> segment. If there's any routing between them, the desktop won't see
> >> the laptop's MAC address and there's no way around this.
> >>
> >> --
> >> Carlos Rodrigues
> >>
>
>
More information about the Firehol-support
mailing list