Re: FN-FORUM: Linux Firewall MAC Filtering

date posted 10th March 2003 17:28

On Mon, 10 Mar 2003, Ken Smith wrote:

> My webserver (Linux/Apache) is being showered with GET requests for
> pages that don't exist (porn ones). Apache is responding 404 and logging
> and it's not really causing a problem but I'd like to block the traffic.
> It's traffic on my WAN link I don't want. According to ethereal the GET
> requests all come from the same MAC address but the source IP address is
> random.

Unless the requests are being generated by someone whose host is on the same
network segment as your host (i.e. you've got a co-located web server on a
flat network with a bunch of other random customers of the same hosting
company) then that MAC address will almost certainly be that of the router
(MAC addresses aren't normally passed across the Internet, unless you're
doing some kind of layer 2 tunneling such as ethernet-over-IP), so blocking
traffic on that basis /will/ block all incoming traffic.

You can confirm this by looking in the ARP cache of your host:

netstat -rn # to show default gateway (route for 0.0.0.0 destination)
arp -an # to show arp cache

To be honest, blocking it won't save you much anyway (only Apache's outbound
404 messages) as by the time the request has come in and is blocked by your
firewall, it's already used up that tiny bit of your bandwidth quota.

> Regds
> Ken

Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950