Andy> I'm playing with my firewall rules, trying to setup a rule that Andy> will recognize my laptop's mac address on an incoming Andy> connection. Andy> iptables -I INPUT -m mac --mac-source uu:vv:ww:xx:yy:zz -j LOG Andy> - --log-prefix "Laptop Detected: " This will only work if you have a bridged network, once you have a switch in the way, the MAC address will change. This is because you're looking at the low level packets, where the MAC addresses gets re-written to reflect the next hop device that the packet needs to goto to get off the local network segment. Note, this is purely a low level ethernet issue, not an IP issue. Andy> That worked fine. I saw the appropriate log entry when my Andy> laptop ping'd the firewall. The log entry showed the expected Andy> mac address of my laptop. At that time, my laptop was plugged Andy> into my home network, which is connected to the "internal" Andy> interface of my firewall. Andy> I then setup iptables to log all incoming packets from the Andy> firewall's external interface, and I noticed that in the log all Andy> incoming mac source addresses are the same. I didn't expect Andy> this. The address is 00:0b:bf:xx:xx:xx, which I think is a Andy> piece of Cisco hardware, and I don't have any Cisco hardware at Andy> home. Is this some hardware from my ISP ? Yup, it's the MAC address of the upstream ethernet device. Basically, all packets are sent to that MAC address when they go off your network. Basically, what happens is that when you try to goto a new IP address (or when a new IP address attempts to contact you), the low level ethernet stack sends out an ARP (Address Resolution Protocol) request, saying "Who has this IP?" and waiting for a response from some other device. Be-it a bridge, a switch, an actual host, or whatever. This is how the low level ethernet knows where to forward packets within it's network segment. Each hub has just a single MAC address for all it's ports. A computer should have a unique MAC address for each ethernet port, though Suns didn't do this for a long time. The idea was that you couldn't put two seperate interfaces on the same network, since it caused problems. Obviously this was also on bridged networks, not swiched ones, which are the standard today. For network switches, each port has it's own MAC address. Basically, every device on a network (low level, physical medium) has to have a unique MAC address, otherwise you run into problems. This is layer 2 stuff. Layer 1 is the physical media. TCP/IP are layers 3 and 4 respectively. Hopefully this helps. I know I've skipped some details here. John