New MAC-IP Matching Module Released

FireRack is a Firewall appliance built on a highly customised Linux Kernel.

One of the most widely used features of the FireRack firewall in the educational market, is "MAC Matching". Simply put, MAC Matching provides powerful anti-spoofing protection for networks.

Each network card has a unique factory-configured MAC address.  By recording the MAC address of some or all of the computers on a network, and then associating those addresses with static IP addresses, IP spoofing detection becomes possible.

Although the Linux kernel has had a simple MAC-matching module for some time, it has some very serious performance issues when a large number of MAC-IP pairs need to be checked. In order to check the validity of a particular MAC-IP pair for say 1,000 machines, you would have to write 1000 iptables rules. Rulesets this large have a considerable overhead in terms of both the load-time for the rule set and on a per-packet basis in operation.

Using this new kernel module, FireRack can check the MAC-IP pair of each packet using just one iptables rule. The actual table MAC-IP pairs is external to iptables/netfilter, and is far more efficient at performin this task.

FireRack can now scale efficiently to deal with many thousands of MAC-IP pairs. Additionally MAC-IP entires can be added or removed from the table in real-time without the need to reload the iptables ruleset.

Kernel developers interested can download a copy of this module here: [MAC-IP Match Module]