Layer 2 Filtering Project......

Is there anyone who knows how to implement this project, what r the
necessary thing to be considered for this.....


The idea of this project is to implement a filter at layer 2
(Ethernet). The user will be given a command line utility and he can
add and remove rules into this filter. Depending on the rule decision
needs to be made on the current Ethernet frame. Following is the
specification:



1. The L2F gets started when the Linux Kernel boots up.
2. The user is given a command line utility with the following
syntax:
1. -add -s -d
-a
3. Once the user enters adds the rule the L2f will add a node to its
internal linked list. The L2F need to capture the Ethernet frame and
extract source and destination mac addresses. If it matches any of the
existing rules it should perform that action. The linked list should
take care of all error conditions.

Re: Layer 2 Filtering Project......

On 15 Sep 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1158310673.484434.53770@i3g2000cwc.googlegroups.com>, abhils44@gmail.com wrote:

>Is there anyone who knows how to implement this project, what r the
>necessary thing to be considered for this.....

What exactly are you trying to accomplish?

>The idea of this project is to implement a filter at layer 2 (Ethernet).

You probably want to be looking in comp.os.linux.networking. The existing
net-filter code has Source MAC filtering (see the IP-Masquerade-HOWTO for
details), and I'm not sure what Destination filtering would do.

>The user will be given a command line utility and he can
>add and remove rules into this filter.

REJECT!!! The user should have _NOTHING_ to do with this - that is a
kernel level function.

> 1. The L2F gets started when the Linux Kernel boots up.

In theory, it is part of the kernel, but you'd want to start this when
networking is started, as is done with the current firewall mechanisms.

> 2. The user is given a command line utility with the following syntax:
> 1. -add -s -d
> -a

Normally, this is handled with the existing firewall setup. I can see a
benefit of source address filtering, but what do you hope to do with
destination filtering. Example - you want to send to 192.0.2.22 which
has a MAC of DE:AD:BE:EF (although the network stack doesn't know that
yet), so the stack would ARP for this, and the source MAC filtering would
drop the ARP reply...

> 3. Once the user enters adds the rule the L2f will add a node to its
>internal linked list. The L2F need to capture the Ethernet frame and
>extract source and destination mac addresses. If it matches any of the
>existing rules it should perform that action. The linked list should
>take care of all error conditions.

Yeah, that already happens, but I'm wondering what your requirement is.
The MAC address is only used on the local segment (and on certain PPP-over-
links), and is trivial to spoof. Have you lost control of your
LAN? Additionally, I'm wondering why this would be a _user_ function, as
most users can't even spell MAC, much less have a concept of what it's
used for.

Old guy

Re: Layer 2 Filtering Project......

abhils44@gmail.com wrote:
> Is there anyone who knows how to implement this project, what r the
> necessary thing to be considered for this.....
>
>
> The idea of this project is to implement a filter at layer 2
> (Ethernet). The user will be given a command line utility and he can
> add and remove rules into this filter. Depending on the rule decision
> needs to be made on the current Ethernet frame. Following is the
> specification:
>
>
>
> 1. The L2F gets started when the Linux Kernel boots up.
> 2. The user is given a command line utility with the following
> syntax:
> 1. -add -s -d
> -a
> 3. Once the user enters adds the rule the L2f will add a node to its
> internal linked list. The L2F need to capture the Ethernet frame and
> extract source and destination mac addresses. If it matches any of the
> existing rules it should perform that action. The linked list should
> take care of all error conditions.

Sounds like a perfect candidate for the ebtables project. Here's the
URL: http://ebtables.sourceforge.net/

Good Luck.
Thomas R. Jones

Re: Layer 2 Filtering Project......

Hello there,

OpenBSD can do that with pfctl, as well as linux. If you look for a
commercial product, Cisco can also do it either in switch/routers
(access-list), or with transparent firewalling.

Regards,
jF


a écrit dans le message de news:
1158310673.484434.53770@i3g2000cwc.googlegroups.com...
> Is there anyone who knows how to implement this project, what r the
> necessary thing to be considered for this.....
>
>
> The idea of this project is to implement a filter at layer 2
> (Ethernet). The user will be given a command line utility and he can
> add and remove rules into this filter. Depending on the rule decision
> needs to be made on the current Ethernet frame. Following is the
> specification:
>
>
>
> 1. The L2F gets started when the Linux Kernel boots up.
> 2. The user is given a command line utility with the following
> syntax:
> 1. -add -s -d
> -a
> 3. Once the user enters adds the rule the L2f will add a node to its
> internal linked list. The L2F need to capture the Ethernet frame and
> extract source and destination mac addresses. If it matches any of the
> existing rules it should perform that action. The linked list should
> take care of all error conditions.
>