Block unwanted MAC address with static arp table
I'm trying to harden access to custom-build router (Alix motherboard) a little bit more by whitelisting MAC address. This feature is quite common in consumer routers or embedded systems (e.g. openwrt, pfsense).
As far as I read, there are two ways to accomplish this:
1) Iptables rules
2) Static ARP table
Although I can easily block pc's in iptables, it seems more logical to block unwanted connections at L2 and leave packet processing logic to iptables. It'll also reduce and simplify iptables rules.
In this particular case I want to harden access on wireless interface at home (actually not so many iptables rules). However I'd like to try same setup at similar router for small network (about 150 users) with more complex firewall rules and whitelisting MAC also on ethernet. I though simplifying rules could speed up packet processing, therefore better network throughput.
So, I'd like to ask if it's worth it at all? Is there any other gains than simpler iptables rules (and on the other hand a little bit complex configuration)?
And just for the record: I know that this can be easily bypassed by MAC spoofing, but most of users won't even try that and those who will, are capable enough to figure out right MAC and IP address and they will find a way around network restrictions anyway.
|