From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 19 03:35:50 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5845C106564A for ; Fri, 19 Dec 2008 03:35:50 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id ABA898FC08 for ; Fri, 19 Dec 2008 03:35:49 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mBJ3ZlrP059002; Fri, 19 Dec 2008 14:35:47 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 19 Dec 2008 14:35:47 +1100 (EST) From: Ian Smith To: Gloomy Group In-Reply-To: Message-ID: <20081219140743.M29108@sola.nimnet.asn.au> References: <20081218204044.H29108@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: ipfw@freebsd.org Subject: RE: IPFW firewall rule in mpd pppoe server to single pc behind router X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2008 03:35:50 -0000 On Fri, 19 Dec 2008, Gloomy Group wrote: > Hello Ian, > > I have implemented traffic shaping with dummy net pipe. But i want > to strictly control the internet sharing to single pc. Is there other > way of allowing like MAC address restricting to 2 pc coming from that > source ip. > > > Date: Thu, 18 Dec 2008 20:57:36 +1100 > > From: smithi@nimnet.asn.au > > To: gloomygroup@hotmail.com > > CC: freebsd-ipfw@freebsd.org > > Subject: Re: IPFW firewall rule in mpd pppoe server to single pc behind router > > > > On Thu, 18 Dec 2008, Gloomy Group wrote: > > > I have freebsd mpd pppoe server. Users connect to internet by giving > > > username and password. My problem is some users put router and share > > > internet connection with other pc. Is it possbile to disable internet > > > sharing in server by rate limiting with ipfw firewall scripts. So > > > that if users keep router or does nat in their pc to share internet > > > then only single pc can access to internet. Is is possible? > > > > Detecting that a connection is shared using NAT? Not that I know of. > > > > Rate limiting per connection with dummynet pipes, easy enough. If you > > limit the bandwidth, why would you need to care how many pcs share it? Not that I know of. You're only going to see the MAC address of a directly connected system, not those of any other box connected to the first one's other interface, even if you are able to do ARP over PPPoE. This is more people-policy stuff I think, unlikely to have a technical solution. Some ISPs tell people they're not permitted to use NAT, but I've not heard of any way of actually and reliably detecting its use. One way to block use of the particular form of NAT implemented in M$ XP is to give users addresses in the 192.168.0.x range, with 192.168.0.1 as (your end's) gateway address .. since this latter address is forcibly assigned to the NAT box's inside interface by XP's 'internet connection sharing' .. but there are other NAT systems for windows users out there. Others may know more than I do about this, of course .. if you wish to pursue it further, net@freebsd.org would be the more appropriate list. cheers, Ian