Paul Armstrong wrote: > On Fri, Aug 16, 2002 at 11:30:59PM -0400, Jefferson Ogata wrote: > >>Caveat: I am not advocating MAC filtering in IP Filter. But there's more to >>it than you are allowing here... > > > The UNIX idea: Small tools each doing a small number of tasks (preferably one) > well. Also leads to less bugs due to small amounts of code per tool. > > Things like IP-Tables which do everything under the sun (and then some) are > just too large a lump of code.
Thank you for your opinion, Doctor. >>Crist J. Clark wrote: >>>On Fri, Aug 16, 2002 at 05:12:29PM -0500, taproot420 wrote: >>> >>>>>(4) If you want to lock MAC to IP mappings, you can do it >>>>>with arp(8). (5) Nothing in IPFilter is Ethernet specific, don't make >>>>>it depend on knowing Ethernet and what other link-layer protocols do >>>>>you want to teach it? >>>> > > If you want to do MAC address filtering, try using the right tool: > http://www.bsdshell.net/hut_ethfw.html You don't rede too gude do you, Doctor? Like I said, I am not advocating MAC filtering in IP Filter. Anyway, the tool you point is specific to FreeBSD, and doesn't even address the scenarios I cited, which you have conveniently snipped. ethfw, assuming it even works, is ethernet-only. It doesn't appear to know anything about IP. The scenarios I cited were ones where you need to verify that particular IPs are associated with particular MAC addresses. You can't do that with plain MAC filtering; you need to conjoin it with IP. The UNIX philosophy you mentioned is a good one. Now all we need is a small tool that does the task, not merely well, but at all. People ask for it in IP Filter because it's not entirely unreasonable to want to implement as much of your network perimeter policy in one place as possible: i.e. ipf.conf. Darren has many times stated the reasons why it would be difficult or impossible for IP Filter to do it, but that doesn't nullify the fact that MAC/IP filtering has its uses. -- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
