Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use MAC address filtering with internet sharing Network
Unfortunately, it doesn't appear to be possible to filter based on MAC addresses in ipfw. I was hoping to do this so that I could control who was accessing the internet through my computer when I ran internet sharing. However, I have discovered that it is possible to filter by MAC addresses -- you just have to do it in bootpd, the process that serves DHCP and doles out the IP addresses.

In case you've never heard of MAC addresses before, this hint is most useful for controlling who can join your airport network, and for sharing an internet connection over the same interface without serving DHCP to the rest of the network.

Unlike most of the UNIX programs, bootpd gets all of its options from NetInfo Manager. So, to set this option, you have to open up NetInfo Manager and go to the /config/dhcp directory. Make sure you are authenticated, then choose Add Property from the Directory menu. Call the property allow. In the values side, insert the MAC address of the first computer. Then, choose Insert Value and enter the next address, and continue until you have entered all of the addresses.

The format of the addresses in the list is slightly different from usual -- you must omit the any leading zeros. So 00 becomes 0 and 07 becomes 7, but 30 and 4d are the same. This option and lots of other bootpd options are detailed in the bootpd man pages (man bootpd).

[robg adds: You can see the Mac address for a given machine on the Ethernet tab in the Network preferences.]
    •    
  • Currently 2.80 / 5
  You rated: 5 / 5 (5 votes cast)
 
[19,563 views]  

Use MAC address filtering with internet sharing | 7 comments | Create New Account
Click here to return to the 'Use MAC address filtering with internet sharing' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use MAC address filtering with internet sharing
Authored by: boubet on Oct 08, '04 12:10:40PM

Can someone explain me the difference between this hint and the Apple's KnowloedgeBase article:
http://docs.info.apple.com/article.html?artnum=107849



[ Reply to This | # ]
Use MAC address filtering with internet sharing
Authored by: mace on Oct 08, '04 05:08:25PM

The apple article is for assigning a specific address to a specific computer. I don't think it will deny access to computers that don't have that address. This will deny access to any computer not on the list, and it's simpler - just punch in the MAC addresses of the computers, and bootpd will take care of the IP addresses by itself.

Of course, you could use both to deny access to other computers and assign one the allowed computers a specific IP address.



[ Reply to This | # ]
Do not use MAC address filtering as access control!
Authored by: j5 on Oct 08, '04 01:34:16PM
Remember folks: Never use MAC address filtering as access control!

Contrary to common belief, the MAC adress of a network adapter is not fixed. It can be changed by the user. Using Windows, it is just a registry modification. Under Mac OS, it requires a bit more work (http://slagheap.net/etherspoof/).

"this hint is most useful for controlling who can join your airport network"

No. Sentences like this lead to all the insecure WLANs out there. Considering that it only protects you from unexperienced computer users, MAC address filtering is usually not worth the hassle.

[ Reply to This | # ]

Do not use MAC address filtering as access control!
Authored by: Chealion on Oct 08, '04 03:34:29PM

It may not be hack proof, but with MAC address filtering, who is going to bother having to sniff the network and determine the MAC Address and change the MAC address?

The whole idea of security is to make it inconvenient for the person who wants in.

Besides, the last time I did a scan around my neighbourhood, 45% of them were wide open (default everything). It's easier to just move to the next section. Saves time.

---
Chealion - The one and only! =)



[ Reply to This | # ]
Do not use MAC address filtering as access control!
Authored by: taxi on Oct 08, '04 11:15:06PM

Yeah. Reminds me of the 'purpose' of security systems for houses.

Doesn't make your house impenetrable, but makes it harder to break into (or more work) than your neighbour. Hence, casual burglars will steal your neighbours' stuff rather than yours.

The thing to note is that if you have something unique that people want, then you will need 'proper' security measures. But every hollywood movie shows that dedicated enough [physical | informational] burglars will still get in, anyway.



[ Reply to This | # ]
Do not use MAC address filtering as access control!
Authored by: SeanKaneFLA on Oct 09, '04 11:44:44PM

I think the solution is somewhere in the middle. MAC Address filter is one step to help prevent unauthorized access to your data/network, but should be used in conjunction with other available options such as...

• encrypted passwords and data transmission
• do not broadcast the SSID
• change default password on router
• only administrate router via wired connection

No one mechanism will prevent hacking. In fact, a professional hacker can get past all of these. Make it harder though and it's less likely for this to happen to your home router.

Just my 2¢.
Sean



[ Reply to This | # ]
Use MAC address filtering with internet sharing
Authored by: _merlin on Oct 10, '04 07:47:48AM

This will not actually stop people from connecting to your network. All it will do is stop the DHCP server from issuing them with an IP address and providing information on router address, DNS server, etc.

Without spoofing the MAC address, a person could still connect by manually entering an IP address, or by using AppleTalk protocols.

It would be quite easy to work out what address range to choose an IP address in, and work out the router address. You'd only need to capture two or three TCP packets before you had enough information to guess with.



[ Reply to This | # ]