Linux Firewall With Comcast

I use Comcast to connect to the internet. I use Linux on most of my machines, and on my firewall as well. Comcast does not officially support Linux, so if you want to run Linux on the machine that connects to the internet, you are on your own.

For the installation, you are required to use Windows to run a program that connects your machine to the internet. This does not need to be run on the machine that will function as your firewall. This program seems to register your ethernet card’s Media Access Control address (a unique identifier for each ethernet card) with Comcast’s servers. This means every request from your machine or network must be from a card with that address.

But the address can be faked. You can configure your Linux/BSD firewall to use the registered MAC address. To do this, you must get the MAC address of the card that has been registered. To do this on Windows, you can type “ipconfig /all” in a DOS prompt.

<em>C:\Documents and Settings\ericm&gt;ipconfig /all</em>
<em>Windows IP Configuration</em>
<em>Host Name . . . . . . . . . . . . : COMPUTER-ONE
Primary Dns Suffix  . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.il.comcast.net.</em>
<em>Ethernet adapter Local Area Connection:</em>
<em>Connection-specific DNS Suffix  . : hsd1.il.comcast.net.
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : <strong>00-50-2C-A5-F5-73</strong>
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.176.224.100
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 172.20.1.102
DHCP Server . . . . . . . . . . . : 172.20.1.10
DNS Servers . . . . . . . . . . . : 172.20.1.130
172.20.1.131
Lease Obtained. . . . . . . . . . : Tuesday, May 15, 2007 1:55:25 PM
Lease Expires . . . . . . . . . . : Saturday, May 19, 2007 1:55:25 PM</em>
<em>Ethernet adapter Local Area Connection 2:</em>
<em>Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 4A-4B-4C-5D-0E-0F
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 169.254.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :</em>

The line that has the information we want is the “Physical Address” line for Local Area Connection 1. Take that information and reformat it slightly and put it into a script that will run on the Linux firewall. You have to deactivate the outgoing ethernet card, and reactivate it with the MAC address from above.

<em># update-rc.d firewallScript.sh start 80 0 1 2 3 4 5 6 S .</em>
<em>echo running /etc/init.d/firewallScript
TIME_VAR=`date +%Y-%m-%d_%H.%M.%S`
ifconfig eth0 | cat &gt; /root/ifconfigArchive/ifconfig.eth0.$TIME_VAR
ifconfig eth1 | cat &gt; /root/ifconfigArchive/ifconfig.eth1.$TIME_VAR
# spoof ip address for comcast
ifconfig eth0 down hw ether <strong>00:50:2C:A5:F5:73</strong>
ifconfig eth0 up
# restart network
/etc/init.d/networking restart
# restart firewall
bash /etc/fwbuilder.sh
# restart ssh
/etc/init.d/ssh restart</em>

You then need to reboot your firewall, and you should be good to go.

 Image from Wikimedia, assumed allowed under Fair Use. Image from the Roman Vergil, a 5th century manuscript of poems by Virgil.

There are 456 words in this article.