Network Security: MAC-Based Packet Filter Rules
Provide a means whereby the MAC addresses of hardware can be used to craft packet filter rules.. Provides more precise security by avoiding the ability for a user to force an IP which should not be theirs, and thus gain access to filters based on that IP.
Allow rules to be configured that deny or allow traversal of the firewall based on MAC address. The reason for this is to allow devices that may be headless or difficult to configure the access or lack there of, they need with out having to have DHCP reservations. Though a MAC address is easily spooffed, it is probably less likely, in a corporate environmen than someone discovering an unrestricted IP.
Obviously this would only pertain to internal devices on the same segment as the ASG.
The following are currently supported by iptables.
iptables -A INPUT -m mac --mac-source 00:0A:0B:0C:0D:0E -j DROP
As an added bonus maybe add the ability to match IP and MAC.
iptables -A INPUT -p tcp -s 192.168.1.200 -m mac --mac-source 00:0A:0B:0C:0D:0E -j DROP
This feature has been released as part of UTM 9.1. Enjoy!
Rhapsody Barbrow commented
looks like "late" 2012 isn't going to happen.....what about 2013 q1 is that still on the table?
come'on guys ! it's about time !!!
Casey C commented
Please add this feature. It is crucial for our RED deployments to have the ability to lock down which devices can connect from behind them.
PLEASE - This is a basic feature other firewalls have and is extremely useful when users are changing IP address to bypass security
Ahmad Chughtai commented
We would definitely like to have this feature. We need to restrict our remote users to certain devices that they use to access our system. It is becoming critical for us.
Opus Capital Markets, IL
Please implement this ASAP!!!
Leland Vandervort commented
A definite requirement when using REDs in bridged LAN mode. The ability to apply MAC-based packet filter rules will also help avoid remote-site users from trying to connect any old device onto the corporate network from behind the RED/bridge.
PLEASE incorporate this functionality soon. I have certain abusers that are able to somehow circumvent our P2P restrictions and due to the kind of company we are, where employees bring in their personal equipment, IP filtering is not an answer.
Very frustrating that I cannot do this! I've got a client who has plugged an unauthorized device into the network and I'd like to restrict it's access.
Samuel Pachao commented
when will it be available on astaro
Perhaps since Astaro is a security company, they hesitate to implement something as inherently insecure as MAC address filtering.
fritz jung commented
This feature as a basic function of good firewall systems. I looked for this feature in the documentation, but haven't found it. I wish that the astaro developers implement this feature ASAP.
Scott Klassen commented
The status is that it is a feature request with a lot of points. If Astaro is actively considering adding this feature the status will change to "under review". If Astaro decides to add it, the status will change to "planned". If coding work has begun, the status will change to "started".
what is the status on this??
what is the status on this??
Julian Abuin commented
It souls be great feature
Really would like to see this feature, like other have said cheap linksys routers can do it, why cant astaro do it.
It would be a great help!!!
I really thought I was overlooking this feature, and didn't realize it wasn't possible. Even the cheapest Linksys firewalls can easily do this.
This is Linux, so just about anythings possible - I hope this feature comes out soon!