From: Craig R. <cr...@po...> - 2004-10-22 14:32:08
|
On Fri, 2004-10-22 at 20:50, Matthew Keller wrote: > On Fri, 2004-10-22 at 02:05, Craig Ringer wrote: > > I wouldn't mind at all if Samba could > > be told to 'block MacOS/X clients' in some way, but that doesn't seem to > > be possible so I'm using traditional network admin measures to take care > > of it. > > Chris- I have a client whom I built a custom system so he can enter an > ethernet address on a webform (you could also do it by IP address, if > you had Macs on different subnets), and Netfilter (aka iptables, aka > Linux 2.4+ firewall) automatically drops Smb traffic (by port) to and > from his Macs. We used ethernet address as we didn't have to worry about > the IP address changing because DHCP hand a feng shui moment. > > His edict was "Thou shalt not connect to Bruce [the server] with a Mac > over Windows networking". Thy will be done. Just one of many possible > solutions. :) What we really need is partial MAC address match support in IPTables. After all, I think every OS/X capable machine has built-in Ethernet, and Apple has its own MAC allocation from IANA that they program the NICs with. Blocking SMB traffic for any host with a MAC address matching 00:0A:95:??:??:?? should work quite nicely. It won't help if the Mac users are behind a router, nor will it help if a Mac has an add-in Ethernet card. For switched networks with normally configured macs, though, it should work great. I did a small amount of digging, but was unable to turn up any information about support for partial MAC address matches in NetATalk. I would be very surprised if it was hard to implement at least a simple "first X bytes" match, however ... should suggest that to the NetATalk folks. -- Craig Ringer |