> > > another method. use the arp cache to check source ip addresses > > > against physical layer addresses, local net packets coming from the Net > > > router, rather then direct from the local machine should be dropped. > > > this is also sufficient to protect against the spoofing attack from the Net. > > > > How hard would it be to modify tcpwraper (for example) to check the incomming > > MAC address on a connection and to be worried if it came from a list of > > routers but the address was the local net? > > I think you'll find that the MAC addresses are unavailable once the packet > has passed through the ethernet code. I went digging yesterday, looking > for _any_ way to get at the MAC header from the IP routines and found, not > surprisingly, that the MAC header is kept separately to the rest of the > packet, which is passed upto the IP stuff as an mbuf. It's also worth noting that if the attacker is passing through the same router as a trusted host -- say, an outside host that's been blessed by a .rhosts file -- then the MAC address will be correct.