This is a frequently asked question both here and elsewhere, including squid-specific forums.
The question arises from an imperfect understanding of IP networking. One of the cornerstones of IP is the decoupling of data-link and network layers. There is no inherent requirement in IP to even have a MAC address - that is a peculiarity of Ethernet (and several other network types). The ARP protocol exists to *prevent* administrators from needing to know MAC addresses! Any method for tying squid ACLs to MAC addresses relies on several unjustifiable assumptions. One, that MAC addresses are fixed, unique identifiers. They are not - it is trivial to change MAC addresses. And two, that the squid server can know the client's MAC address. This is only valid in the case of a single, unrouted Ethernet LAN. As soon as an IP packet crosses a router, you lose the MAC data. There are several scenarios where using a wireless network will produce untrustable MAC addresses. Lastly, this concept attempts to directly couple the top and bottom layers of the OSI model. The layers of the OSI model exist precisely so that the Data Link layer is fully independent from the Session layer. The best solution is generally considered to be the use of proxy authentication, which ties rules to individual users - this is usually the goal anyway! -Adam "Shali K.R." <[email protected]> wrote: >Dear all, > >I have a doubt , i am using pfsense with squid and squidguard and my >different privilege configurations are based on ip address in squidguard but >some of my users chaning their ips and getting unauthorized access. is there >any method to trace the mac ids ??? >-- >Thanks & Regards > >Shali K R >Server Administrator >Vidya Academy of Science & Technology >Thrissur,Kerala. >Mob:9846303531
