can mac address filtering be done from the internet?

yongitz · 04-17-2007, 10:41 AM

Hi folks!

I'm just curious. I have a working vpn setup right now. What bothers me is that there might be time that a vpn client will be compromised. So as a precaution with the help of firewall using iptables, for example I will just allow all those mac addresses that are supposed to be allowed and block those which are not in my list. So if I have "false client" which got it's keys from a compromised vpn client even if it succeeds on the vpn authentication but still will be useless because no traffic can be done because of course the mac address is not one of the allowed lists.(but of course i'm not discounting the possibility that the mac address will be spoofed too..) But now I just want a clear view if mac address filtering can be done in this situation..

Thanks!

acid_kewpie · 04-17-2007, 10:43 AM

mac addresses are for layer2 communications, i.e. in a single subnet. there may be vendor proprietary extensions to permit filtering of that is wholly arbitrary data at the layer3 vpn stage, but as standard, it just doesn't really make "sense". proper cryptography with certificates and such is a much much better approach.

yongitz · 04-17-2007, 11:03 AM

Thank you sir for the prompt reply. So you're saying that's it's likely not possible with iptables?

lazlow · 04-17-2007, 11:07 AM

yongitz

Even if it were possible (would need more that iptables) spoofing a MAC is fairly easy to do. Acid has pointed you in the "best" direction.

Lazlow

yongitz · 04-17-2007, 11:15 AM

Ok.. I'm there! So what would be the best solution for my problem? As I just want to bind certain vpn certificates/keys to the right machine. So that even if those keys were stolen it will be of no use anymore..

Teomari · 04-17-2007, 06:48 PM

one thing that i know is that squid proxy can allow/disallow MAC addresses

acid_kewpie · 04-18-2007, 02:04 AM

well it can do it on a local subnet, but once it's past a router, that information doesn't exist.

slzckboy · 04-18-2007, 02:20 AM

The only Mac address that you will see for a session initiated from outside your Lan Is that of the Gateway router.

In normal TCP communication you would never see the mac address of the remote machine.That source mac address would be stripped off when the packet is marshalled to be sent over the internet .
the source/destination macs are then used to get the packet from one router hop to the next, and then once its at the destination subnet from the remote gateway router to the destination client.

So in short you can only rely on Mac filtering for devices on a Local subnet.

This is the long version to what mr kewpie has said already
:0)

yongitz · 04-18-2007, 10:09 PM

Thank you all for the clarifications. So even if you're operating under VPN you really cannot trace mac addresses?
Pardon me people but I have read something like when you are on bridged type of VPN(that means clients were given IPs the same as the local subnet), even on this situation you can't track the mac address? I also have found something in the internet that points out how to block vpn clients thru their mac address I just forgot the url but I'll post it here as soon as I find it. I need more clarifications coz I'm confused if it's really
possible because if it is then I would switched to bridged vpn.

Thanks!

acid_kewpie · 04-19-2007, 01:45 AM

well implicitly if it is a bridge then yes you can, but that's not the normal way a VPN would operate, and it's not really even a VPN thing. if it's a bridge, then it's layer2, and as described above is effectively still a single subnet.