Re: location based firewall

[Chuck Anderson <cra WPI EDU>]

On Sat, Mar 05, 2011 at 03:20:29PM -0500, Chuck Anderson wrote:
> On Sat, Mar 05, 2011 at 05:55:54PM +0100, Matej Kovacic wrote:
> > Hi,
> > 
> > > We've talked about this sort of vague plan in the past, tweaking the
> > > firewall settings based on your location.  Obviously that doesn't work
> > > so well for wired because you're never 100% what network you're
> > > connected to, but for wifi if the AP requires a passphrase or is WPA
> > > Enterprise, you're pretty sure you can trust your location.
> > What about arp -a or nmap gateway IP?
> 
> Using the MAC address of the gateway as discovered by ARP seems 
> reasonable, but nmapping the gateway IP is not.  I will ban any device 
> on my network that scans the router.
> 
> Keep in mind though that sometimes the MAC address might change...like 
> various redundancy setups, hardware replacement, etc.  It might also 
> change if you plug into a different subnet of the same router in the 
> same administrative domain (or it might not, depending on the model 
> and configuration of the router(s)).  That could be useful or not 
> depending on your perspective.  I suppose that would happen 
> infrequently enough that the MAC address is "good enough" for a stable 
> LAN identifier.  Ideally, the user should be able to pick a location 
> such that they could associate the same location with the various 
> subnets and/or WiFI SSIDs they connect to that are part of the same 
> administrative domain.

More issues:

If VRRP or similar protocols are in use, you could have the same MAC 
address on different networks in different administrative domains.

Perhaps the key should be a combination of various parameters, such as 
subnet address/prefix length, gateway IP, and gateway MAC.