[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: WiFi WDS and MAC filtering
From:       Kelley Reynolds <schnozzy () verbotenplanet ! net>
Date:       2005-04-20 22:35:38
Message-ID: 1b6cfb926bd2630d25db3c8951eee7b0 () verbotenplanet ! net
[Download RAW message or body]


On Apr 19, 2005, at 7:32 PM, Kimi Ostro wrote:

> On 4/19/05, Kelley Reynolds <kelley@insidesystems.net> wrote:
>> Is there any way to filter based on MAC addresses for a  
>> single-interface machine running in a wireless WDS configuration?  
>> From the docs, it doesn't look like a single-interface bridge will  
>> work like that, if it would work at all.
>>
>
> Simple answer, NO.
>
> Plus it is not such a good idea any how because MAC's  addresses can
> be spoofed/changed, see:
>
> http://www.theedge.net/~dingo/sea.c
> http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/ifconfig/ifconfig.c? 
> rev=1.132&content-type=text/x-cvsweb-markup
>
> You may be better off with a secure link (IPSec, ssl tunnel, ssh or
> something) between the two wireless bridges.

Well, here is the problem I am trying to solve. In a WDS network, there  
could be several nodes in between an edge node and a gateway. Rather  
than forward the traffic all the way to the gateway then decide that I  
didn't want to forward it (wasting valuable time rebroadcasting  
packets), I want each node to have knowledge of which MACS are  
acceptable to forward and which aren't so that only accepted traffic  
can pass. Now, I also know that MAC addresses can be mangled and  
tweaked, but this isn't an idea to keep out Kevin Mitnick, it's merely  
to prevent the nodes in the WDS network from wasting their time  
switching between sending and receiving for common cases and to prevent  
non-legitimate inter-node traffic (things that don't hit the end  
gateway).
[prev in list] [next in list] [prev in thread] [next in thread]