I want to use a MAC address filter to allow only approved
users to access an FTP server (Linux).
The configuration is
me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
"Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100,
#2:10/100/1000)
Can this be done?
In article
Rick Merrill
>I want to use a MAC address filter to allow only approved
>users to access an FTP server (Linux).
>The configuration is
>me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
>----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
>"Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100,
>#2:10/100/1000)
MAC addresses are not preserved through IP routing, and are
not preserved through IPSec IP.
If the MACs you want to filter on are the ones at "me", then in
order to have them reach "MAC filter", you would have to use
a Layer 2 VPN, which is not available on the BEFSR41 itself.
Walter Roberson wrote:
> In article
> Rick Merrill
>
>> I want to use a MAC address filter to allow only approved
>> users to access an FTP server (Linux).
>
>> The configuration is
>
>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
>
>> "Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100,
>> #2:10/100/1000)
>
> MAC addresses are not preserved through IP routing, and are
> not preserved through IPSec IP.
>
> If the MACs you want to filter on are the ones at "me", then in
> order to have them reach "MAC filter", you would have to use
> a Layer 2 VPN, which is not available on the BEFSR41 itself.
Thank you, that's what I needed to know (and feared).
Is there any way to do an IP filter? (short of a VPN which I fear would
require changes at the end user (me and a few others).
In article <6dednbNzq9asoiDYnZ2dnUVZ_v2dnZ2d@comcast.com>,
Rick Merrill
>Walter Roberson wrote:
>> In article
>> Rick Merrill
>>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
>>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
>Is there any way to do an IP filter? (short of a VPN which I fear would
>require changes at the end user (me and a few others).
Do you all have static IP addresses? I note you have a cable modem
in the mix; in these parts, unless you pay extra, you do not receive
a static IP on residental broadband connections. (The cable IPs
here don't change all that often, but do change; the DSL connections
here change IPs at least once a week.)
I don't know what the filtering capabilities of the BEFSR41 are.
The filters on the BEFVP41 have to do with blocking -outgoing-
access; if I recall correctly the filters on the BEFW11S4 are
very similar (I don't have mine plugged in right at the moment.)
My understanding is that the BEFSR41 is very similar to the
BEFW11S4 except with no wireless.
The easiest place to put in the IP filters would likely be the FTP
server... but first you have to be sure that the IPs aren't going
to vary (and that there isn't any legitimate reason to reach the
FTP server when, for example, you are visiting your folks for
the holidays.)
Walter Roberson wrote:
> In article <6dednbNzq9asoiDYnZ2dnUVZ_v2dnZ2d@comcast.com>,
> Rick Merrill
>> Walter Roberson wrote:
>>> In article
>>> Rick Merrill
>
>>>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
>>>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
>
>> Is there any way to do an IP filter? (short of a VPN which I fear would
>> require changes at the end user (me and a few others).
>
> Do you all have static IP addresses? I note you have a cable modem
> in the mix; in these parts, unless you pay extra, you do not receive
> a static IP on residental broadband connections. (The cable IPs
> here don't change all that often, but do change; the DSL connections
> here change IPs at least once a week.)
>
> I don't know what the filtering capabilities of the BEFSR41 are.
> The filters on the BEFVP41 have to do with blocking -outgoing-
> access; if I recall correctly the filters on the BEFW11S4 are
> very similar (I don't have mine plugged in right at the moment.)
> My understanding is that the BEFSR41 is very similar to the
> BEFW11S4 except with no wireless.
>
> The easiest place to put in the IP filters would likely be the FTP
> server... but first you have to be sure that the IPs aren't going
> to vary (and that there isn't any legitimate reason to reach the
> FTP server when, for example, you are visiting your folks for
> the holidays.)
>
True, we have "dynamic" IP addresses, but mine has not changed in 6
months and since our region is not in active buildout further changes
are unanticipated - we'll just cross that bridge when we come to it.
No, there's no need to access the server from Aunt Nettie's house.
Unfortunately the Linux server is '3rd party' and inaccessible, at least
not without voiding the warranty :-) or should that be :-{
Now maybe someone can tell me how to block IP with Linux ...
Can any router or firewall block IP addresses for incoming traffic?
In article <2ZOdnaPWg4tMwyDYnZ2dnUVZ_vOdnZ2d@comcast.com>,
Rick Merrill
>>>> In article
>>>> Rick Merrill
>>>>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
>>>>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
>Can any router or firewall block IP addresses for incoming traffic?
Well, the better ones.
I was going to say that "any firewall can do it", but these
days what are sold as "firewalls" to the consumer are not
necessarily very configurable.
Selective service by IP is very common in real firewalls, and not
uncommon in real routers. For example, as best I recall, it can
be done with all of the routers sold under the Cisco brand name
(except perhaps some of the early SOHO series); I am not familiar
with the newer Linksys-branded Cisco devices to know if any of them
support it.
Walter Roberson wrote:
> In article <2ZOdnaPWg4tMwyDYnZ2dnUVZ_vOdnZ2d@comcast.com>,
> Rick Merrill
>>>>> In article
>>>>> Rick Merrill
>
>>>>>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
>>>>>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
>
>> Can any router or firewall block IP addresses for incoming traffic?
>
> Well, the better ones.
>
> I was going to say that "any firewall can do it", but these
> days what are sold as "firewalls" to the consumer are not
> necessarily very configurable.
>
> Selective service by IP is very common in real firewalls, and not
> uncommon in real routers. For example, as best I recall, it can
> be done with all of the routers sold under the Cisco brand name
> (except perhaps some of the early SOHO series); I am not familiar
> with the newer Linksys-branded Cisco devices to know if any of them
> support it.
I see I deluded myself about the Linksys capabilities. Thanks for
putting me straight!
I "spoke with" the Indian/Packistani at the Linksys/Cisco support group
and he said I could block IP, but now I see that there was a
misunderstanding of which direction I was talking about!
Is there any s/w that could run on the "bridge" above that could block
all traffic that did not match a list of IP addresses?
Rick Merrill
> I want to use a MAC address filter to allow only approved
> users to access an FTP server (Linux).
>
> The configuration is
>
> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
>
> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
>
> "Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100,
> #2:10/100/1000)
>
>
> Can this be done?
Not without major pains, and it would be rather pointless anyway,
because MAC addresses can be spoofed most easily. If you want to approve
users: use proper authentication.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
In article
Rick Merrill
>>>>>>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
>>>>>>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
[Where Bridge is a Windows XP PC with two NICs]
>Is there any s/w that could run on the "bridge" above that could block
>all traffic that did not match a list of IP addresses?
How did you configure briding on the XP? The most natural way
to configure that connection would be to use routing instead of
briding. The way to configure bridging on XP doesn't spring to my
mind at the moment.
You could possibly use something a simple as Windows XP Firewall.
The way to put on ip filters on Linux depends on the Linux version,
I believe. These pages might help:
http://www.netfilter.org/
http://www.linuxfirewall.com/
Ansgar -59cobalt- Wiechers wrote:
> Rick Merrill
>> I want to use a MAC address filter to allow only approved
>> users to access an FTP server (Linux).
>>
>> The configuration is
>>
>> me<->BEFSR41(NATandDHTP)<->ATA(w.NAT)<->CABLEMODEM ----
>>
>> ----BEFSR41(MAC filter?)<->#1Bridge#2<->SWITCH<->FTPserver
>>
>> "Bridge" is PC with Win XP pro sp2 and two NIc (#11:10/100,
>> #2:10/100/1000)
>>
>>
>> Can this be done?
>
> Not without major pains, and it would be rather pointless anyway,
> because MAC addresses can be spoofed most easily. If you want to approve
> users: use proper authentication.
And I've learned that MAC addresses do not get routed over the internet.
How do you do authenticate an IP address (the only id of the source)
that is simpler than using an IP filter?
Rick Merrill
> How do you do authenticate an IP address
http://standards.ieee.org/getieee802/download/802.1X-2004.pd f
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
Volker Birk wrote:
> Rick Merrill
>> How do you do authenticate an IP address
>
> http://standards.ieee.org/getieee802/download/802.1X-2004.pd f
>
> Yours,
> VB.
Good ol' 802.1 ... let me rephrase my question: is there
any software that implements this?
In article
Rick Merrill
>Volker Birk wrote:
>> Rick Merrill
>>> How do you do authenticate an IP address
>> http://standards.ieee.org/getieee802/download/802.1X-2004.pd f
>Good ol' 802.1 ... let me rephrase my question: is there
>any software that implements this?
Yes. There are, for example, Cisco clients... if you were
using a Cisco VPN server.
The following might be of assistance:
http://whitepapers.techrepublic.com.com/webcast.aspx?&docid= 88367
IEEE 802.1x Authentication Client in Microsoft Windows for Wireless and Wired Networks
I suspect you will find that setting this all up is a lot more
trouble than the alternatives.
Rick Merrill
> Volker Birk wrote:
> > Rick Merrill
> >> How do you do authenticate an IP address
> > http://standards.ieee.org/getieee802/download/802.1X-2004.pd f
> Good ol' 802.1 ... let me rephrase my question: is there
> any software that implements this?
Yes, lot's of hardware and software do implement this. Perhaps you want
to try a searching engine.
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
Volker Birk wrote:
> Rick Merrill
>> Volker Birk wrote:
>>> Rick Merrill
>>>> How do you do authenticate an IP address
>>> http://standards.ieee.org/getieee802/download/802.1X-2004.pd f
>> Good ol' 802.1 ... let me rephrase my question: is there
>> any software that implements this?
>
> Yes, lot's of hardware and software do implement this. Perhaps you want
> to try a searching engine.
>
> Yours,
> VB.
My search engine got me to this group ;-)
I want to block any IP that's not pre-approved or is unauthenticated.
I want to use hardware or WinXP-pro-sp2 software
I would rather Not use a VPN.
I want something that is bonehead simple
(even if I have a degree from MIT)
- RM
Post removed (X-No-Archive: yes)
Rick Merrill
> Volker Birk wrote:
> > Rick Merrill
> >> Volker Birk wrote:
> >>> Rick Merrill
> >>>> How do you do authenticate an IP address
> >>> http://standards.ieee.org/getieee802/download/802.1X-2004.pd f
> >> Good ol' 802.1 ... let me rephrase my question: is there
> >> any software that implements this?
> > Yes, lot's of hardware and software do implement this. Perhaps you want
> > to try a searching engine.
> My search engine got me to this group ;-)
Maybe you want to try Google, Yahoo or MSN then :-P
> I want to block any IP that's not pre-approved or is unauthenticated.
Then configure your switching hardware.
> I want something that is bonehead simple
OMN!
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz