Some more information would be useful, what type of servers are you running, i.e. Windows, Linux/Unix? What services are you running that you want to ban people from using? Are the people you want to ban coming from any type of common source, i.e. like aol.com, lamers.org?

are these outside users from another LAN or from the Internet?

ARP knows IP. Research ARP

shouldnt he be researching RARP for the MAC address? correct me if i'm wrong

You're wrong.

ARP "translates" an IP address into a MAC address. Reverse ARP can be used to query a special reverse-ARP server (which you most certainly do not have) for the IP address of a given MAC address.

And as noid appears to be getting at, you can't know the MAC address of the end client across the Internet using IPv4.

If I were to get a TCP/IP tutorial would this type of information be addressed so I can understand it better?

YES!

(The message you have entered is too short. Please lengthen your message to at least 10 characters.)

When you buy the NIC, the MAC address is on a sticker on the box.

I always thought of the sticker as more of a suggestion...

I know this is long, and I suck for writing it.

Using MAC address as a filter is a poor selection since you are trusting the user to not change their MAC Address they use. The MAC Address on many cards can be changed in software in many OS. Even if your users are mostly stupid, all it takes if for one to show the rest and (you get the idea.)

Next, (assuming you know this, but stating anyway): It is useless to try to filter by MAC if they are more than 1 hop outside your network because the MAC source address in the passed frame in your network will be that of your last hop router's internal interface. (In case you are trying to block outside user on the Internet from getting through your router to your network.)

When all users being limited are local, you could choose to use a kind of "Authentecated Network Access" for users. The summary of it is this... Users get an IP address from a DHCP server with their port that is on a private VLAN. Then, all of their http requests and DNS lookups point them to a single page to authenticate to use the network. After authentication, their VLAN is switched to the "common" network. This requires vendor support for your switches and often is expensive.

Other systems involve giving users regular network IP addresses, but not letting them get beyond a filter until they authenticate. Then the authentication application (in)directly changes the filtering rules to allow them. These systems can be independent of your switches.

Simple "home-grown" systems have been made for people who want to make free wireless hotspots. One such group is nocat but there is/was a big groups in Seattle, LA and New York too. You may be able to adapt their software if you have lots of time, but no money.

HTH

im sorry for not posting before ive been busy, im at my final exams at the university year.

well, someone there asked for details of the server.
in chile, there are game companies, they work as comunities with many comunities inside, for example www.insomniagames.cl there each game is a comunity.
im a tactical ops administrator, and there are many cheaters and im trying to catch them, the problem is that the IP in chile, are dinamic, they change when you reeboot, so im trying to make a system to ban them from the mac using the the Tactical Ops router filters (tactical ops is the game witch im admin)


thats why i need to ban, and an effective system :D, thanks for the help, and sorry again for my shity english :(

If your game uses a client program (i cannot imagine why not), you could put code into the client that sends the MAC and possibly even processor serial # if you want to get really tight. No MAC sent, no play to prevent people from just telnetting your server(s).

Then all the 1337 gamers will simply change their mac every time they get banned... The most common method for banning gamers is by simply taking their entire account from them. If the cheating is so rampant that anyone can set up a new account and progress/effect other players efficiently, then the only way to combat the cheating is by patching and enforcement of fixes to the game itself. After all.. the ability to cheat *is* a bug in the game, not the user.

Exactly. I've had this argument with more people... dealing with problems via IP or MAC is not an efficient way of fixing the problem. I also don't think that the answer is in storing everything server-side.

LosT