-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HI everybody, I'm playing with my firewall rules, trying to setup a rule that will recognize my laptop's mac address on an incoming connection. I tried this: iptables -I INPUT -m mac --mac-source uu:vv:ww:xx:yy:zz -j LOG - --log-prefix "Laptop Detected: " That worked fine. I saw the appropriate log entry when my laptop ping'd the firewall. The log entry showed the expected mac address of my laptop. At that time, my laptop was plugged into my home network, which is connected to the "internal" interface of my firewall. I then setup iptables to log all incoming packets from the firewall's external interface, and I noticed that in the log all incoming mac source addresses are the same. I didn't expect this. The address is 00:0b:bf:xx:xx:xx, which I think is a piece of Cisco hardware, and I don't have any Cisco hardware at home. Is this some hardware from my ISP ? I'm guessing somebody is rewriting the packets to replace the source mac address, but clearly my knowledge of this is lacking, and thus I'm confused. Any helpers? Thanks, Andy - -- Andy Stewart, Founder Worcester Linux Users' Group Worcester, MA, USA http://www.wlug.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFE95kJHl0iXDssISsRAmcUAJ4zD1PDX+TmZca7gzdmtvf7DwWgxACfUH4B 3awkKwfmcBN7nmu/WXjsre4= =6u9G -----END PGP SIGNATURE-----
Andy, MAC Addresses work at layer 2. When a router receives a packet, it strips off the mac addresses, looks at its destination, appends its own mac addresses, and forwards out the appropriate interface. The MAC your seeing is probably your ISP's router. On 8/31/06, Andy Stewart <andystewart@comcast.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
HI everybody,
I'm playing with my firewall rules, trying to setup a rule that will recognize my laptop's mac address on an incoming connection.
I tried this:
iptables -I INPUT -m mac --mac-source uu:vv:ww:xx:yy:zz -j LOG - --log-prefix "Laptop Detected: "
That worked fine. I saw the appropriate log entry when my laptop ping'd the firewall. The log entry showed the expected mac address of my laptop. At that time, my laptop was plugged into my home network, which is connected to the "internal" interface of my firewall.
I then setup iptables to log all incoming packets from the firewall's external interface, and I noticed that in the log all incoming mac source addresses are the same. I didn't expect this. The address is 00:0b:bf:xx:xx:xx, which I think is a piece of Cisco hardware, and I don't have any Cisco hardware at home. Is this some hardware from my ISP ?
I'm guessing somebody is rewriting the packets to replace the source mac address, but clearly my knowledge of this is lacking, and thus I'm confused. Any helpers?
Thanks,
Andy
- -- Andy Stewart, Founder Worcester Linux Users' Group Worcester, MA, USA http://www.wlug.org
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFE95kJHl0iXDssISsRAmcUAJ4zD1PDX+TmZca7gzdmtvf7DwWgxACfUH4B 3awkKwfmcBN7nmu/WXjsre4= =6u9G -----END PGP SIGNATURE----- _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Andy> I'm playing with my firewall rules, trying to setup a rule that Andy> will recognize my laptop's mac address on an incoming Andy> connection. Andy> iptables -I INPUT -m mac --mac-source uu:vv:ww:xx:yy:zz -j LOG Andy> - --log-prefix "Laptop Detected: " This will only work if you have a bridged network, once you have a switch in the way, the MAC address will change. This is because you're looking at the low level packets, where the MAC addresses gets re-written to reflect the next hop device that the packet needs to goto to get off the local network segment. Note, this is purely a low level ethernet issue, not an IP issue. Andy> That worked fine. I saw the appropriate log entry when my Andy> laptop ping'd the firewall. The log entry showed the expected Andy> mac address of my laptop. At that time, my laptop was plugged Andy> into my home network, which is connected to the "internal" Andy> interface of my firewall. Andy> I then setup iptables to log all incoming packets from the Andy> firewall's external interface, and I noticed that in the log all Andy> incoming mac source addresses are the same. I didn't expect Andy> this. The address is 00:0b:bf:xx:xx:xx, which I think is a Andy> piece of Cisco hardware, and I don't have any Cisco hardware at Andy> home. Is this some hardware from my ISP ? Yup, it's the MAC address of the upstream ethernet device. Basically, all packets are sent to that MAC address when they go off your network. Basically, what happens is that when you try to goto a new IP address (or when a new IP address attempts to contact you), the low level ethernet stack sends out an ARP (Address Resolution Protocol) request, saying "Who has this IP?" and waiting for a response from some other device. Be-it a bridge, a switch, an actual host, or whatever. This is how the low level ethernet knows where to forward packets within it's network segment. Each hub has just a single MAC address for all it's ports. A computer should have a unique MAC address for each ethernet port, though Suns didn't do this for a long time. The idea was that you couldn't put two seperate interfaces on the same network, since it caused problems. Obviously this was also on bridged networks, not swiched ones, which are the standard today. For network switches, each port has it's own MAC address. Basically, every device on a network (low level, physical medium) has to have a unique MAC address, otherwise you run into problems. This is layer 2 stuff. Layer 1 is the physical media. TCP/IP are layers 3 and 4 respectively. Hopefully this helps. I know I've skipped some details here. John
On Fri, Sep 01, 2006 at 10:40:25AM -0400, John Stoffel wrote:
This will only work if you have a bridged network, once you have a switch in the way, the MAC address will change. This is because
Nope - a switch is logically identical to a bridge with more than two ports. A packet forwarded by a router will have the routers MAC address because the router has to generate a new ethernet frame with the same ethernet payload as the original packet, while a switch will blindly forward the packet to wherever it's FDB tells it to.
For network switches, each port has it's own MAC address. Basically,
Only if the switch supports spanning tree, and only for spanning tree - those per-port MACs aren't used for anything else. -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
Frank> On Fri, Sep 01, 2006 at 10:40:25AM -0400, John Stoffel wrote:
This will only work if you have a bridged network, once you have a switch in the way, the MAC address will change. This is because
Frank> Nope - a switch is logically identical to a bridge with more Frank> than two ports. A packet forwarded by a router will have the Frank> routers MAC address because the router has to generate a new Frank> ethernet frame with the same ethernet payload as the original Frank> packet, while a switch will blindly forward the packet to Frank> wherever it's FDB tells it to. Details details... don't confuse me with facts! *grin* You're right of course.
For network switches, each port has it's own MAC address. Basically,
Frank> Only if the switch supports spanning tree, and only for Frank> spanning tree - those per-port MACs aren't used for anything Frank> else. Yup, that's the details I mis-remembered. Then again, who pays attention to this stuff any more? *grin* John
participants (4)
-
Andy Stewart -
Frank Sweetser -
John Stoffel -
Justin Odom