Example. A server with 2 nics one static one dynamic. The ability to restrict Server to say only to MS update sites via Web Security Profiles. So Mac to Host object.

Just as a DNS Host, Host IP, Network can be defined, add the ability to define and use the Mac Address throughout Astaro.

maybe mac filter is a layer2 implementation but it is security and asl is for security. it makes some parts of the security easy. in some cases you can add mac address to a network host object and use this inside the packet filter. or you can group it to a network group and use this inside the packet filter. the case where i use this is;

add all devices by mac to an allow acl group. and block all that is not in the mac group list.

MAC address to network host.

With the "attach a MAC address to a Network "Host" object and use this inside the packet filter" part, it's also IP independent, isn't it? I believe this is it.
But the part about the spoofing... I never thought about that, but it sounds good! It would be great if that can be build in as an extra feature...

i think it's the "Network "MAC Address" Object that matches any always, no matter which IP address is used" that's the idea.
At least that's the use i'd give it

I don't even know why with all the awesome stuff that astaro has in it, this is still a feature request. I know blocking at the switch etc is probably cleaner solution but for a small shop if you can do it at one place then why not?
I am sure many schools that use astaro would love this feature. Right now its too easy for a user just to switch their IP and have full outbound access bypassing proxy etc. Mac filtering would deter most of that.

We would use this where a public WIFI WAP accidentally gets moved and plugged into our private network. A NAC feature where you can deny/allow certain devices would be of benefit.

This would be very useful in environments (for example) where you have lots of wireless bridges and someone plugs something "bad" into the network. In most cases, we currently end up creating blocking rules at Layer 2 on our switches. For example, when two idiots plug in a default configured Access Point and we get multiple arp responses for the same IP address, causing DHCP to break.

Hello,

i think in smaller environments it will be useful to handle 2, 3 or 15 MACs.
When i try to limit the time of internet usage, the user (admin privileges) only have to switch the ip within the same subnet to be able to surf (ok, over the proxy but it works)...

if i use a small group of only 2 or 3 macs that are allowed to surf without proxy an disable proxy, i have more control to block the appropriate user.

using macs for may help to protec against vpn-access with "illegal! system. Today it is more than easy to move an vpn-config from for example linux to a windows-system to transfer the config from windows system a to windows system b.

My question un the forum before searching here.

----
Hallo,

is there a way to use MAC-IDs for defining rules etc..
My problem:
I m managing private network where some users are "clever" enough to configure themselves fixed-ips that are known to have access to the internet.
But they are not clever enough to fake MAC-Ids.

Is there a way to solve my problem?

Thanks

Ralf Prengel

I´d say MAC based filtering is not a task for a (layer3-) Firewall but more for a (layer2) switch / NAC. Implementing it on a system like ASG would allow manipulation (there are plenty of freeware tools and possibilitites to modify/fake a MAC address under Linux and MS Windows). Also, MAC address filtering is useless if you have a routed network.

Some customers applies packet filter policies using MAC adress, because applies those policies using IP is not the best way, specially if they uses dinamic addressing, even, if they uses static addressing, some users can change their IP adress and skip all policies applied.

ISTM that full-blown NAC would be much better, but maybe too complex?

Along with this, it could also be very handy to be able to define a host by MAC address. The current system of making definitions by IP Address only becomes a little more problematic when using dynamic addressing.

i'd say multihomed stations, stations without any kind of authentication method or which one isn't desired.
"power users" stations for ppl thatr know how to circunvent other checks