On Wednesday 11 June 2003 02:53 am, Stefan Neufeind wrote: > I took a look at nocat and it really seems to do almost the things > I'm looking for *g* Thank you. > > But I have a recommendation / question: Wouldn't it be possible to > also check the MAC of clients on the net? This way we could make IP- > hijacking (as written in the nocat-whitepaper) a lot harder I think. > > Unfortunately I don't know if this is possible with something like > iptables - since mac-addresses work on a different (lower) layer.
Sure. The problem is that NoCat is designed for wireless networks, and you cannot trust MAC addresses from them - they are too easily spoofed. I think wired networks may suffer from the same issue, but have not verified this. FWIW, NoCatAuth already -does- match MAC addresses with IP addresses, unless you disable it. If you really need control down to the individual port, just get a box with a very large number of network interfaces, instead of a switch, and hack NoCatAuth to operate based on physical interface instead of addressing. - Keegan
