On 11/29/2010 5:18 AM, Gerald A wrote:
On Mon, Nov 29, 2010 at 4:51 AM, James Bensley <jwbens...@gmail.com
<mailto:jwbens...@gmail.com>> wrote:
I think it would be an useful feature to have; if you have a
pfsense box at the end of a leased line, private virtual circuit
or vpn, it would be good to check the device at the other has x
MAC address to try and rule out any security features like a MITM
attack or something like that...
It really isn't that useful, since spoofing a MAC address is fairly
trivial. So, the theoretical MITM attack prevention would just be
false security, and might be why pfsense doesn't support it. Now, it
might be nice to have something in place to make thing harder, but
this wouldn't be adding anything hard to work around.
Thanks,
Gerald
If your using pfsense with unknown clients it's beneficial. For example
a Hotel, you have no idea who is connecting, and where they are
connecting from. Most of the time the users have no idea how to change
the mac address, not to mention they would know that is the problem. If
they do, you deal with it at that point.
I understand it's a false sense of security, but I can see how it would
be helpful. Maybe a package can be made with the understanding that its
not 100% full proof.
You could also make this same argument for the captive portal mac
addressing filtering, and that's been in pfsense forever.
Adam
--
Adam M Piasecki
MidAtlanticBroadband
Office: 410-727-8250 x 123
Cell: 940-224-4837
Fax: 410-727-8245