From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 6 02:26:40 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15CD516A418 for ; Thu, 6 Sep 2007 02:26:40 +0000 (UTC) (envelope-from kansas_le@yahoo.com) Received: from web56801.mail.re3.yahoo.com (web56801.mail.re3.yahoo.com [66.196.97.75]) by mx1.freebsd.org (Postfix) with SMTP id C38F013C45D for ; Thu, 6 Sep 2007 02:26:39 +0000 (UTC) (envelope-from kansas_le@yahoo.com) Received: (qmail 24722 invoked by uid 60001); 6 Sep 2007 01:59:45 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=1WLvtxU8D7Y0duEBOKNqtqpWsGoBze2BTEdQE4e2IV5k5kIP5lsvQGSnlHXxvK0Pifg7F3r/7dj603Nx0phRTokvtYZnMEvLPgNLXpEpUHuDC4Xett03bCcHMLJB/I3wiwAbk+EvTKwPbpIvzd1yyHFtsDTHHBkZ/Mz2vcGDgZs=; X-YMail-OSG: mmFhRAYVM1mHxSyObWcFEkuUnOPvQTzLgR.xTdTEMjN.FmAXrnxdThvkHJtFbmZ6q9MgkOMILSqqpkxWT7ys3YFb0sni_BwiUH.zexRSauWGfKEonAjnb.w.8ctMCA-- Received: from [125.160.216.194] by web56801.mail.re3.yahoo.com via HTTP; Wed, 05 Sep 2007 18:59:45 PDT Date: Wed, 5 Sep 2007 18:59:45 -0700 (PDT) From: Stephen GL To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-ID: <456319.24028.qm@web56801.mail.re3.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Allow only match both mac address and IP address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 02:26:40 -0000 Hi, I need help. I am very new about IPFW. I'm in FreeBSD 6.0. My job is pass anyone that has a valid both MAC and IP address. Beginning of my rule I check the valid MAC address that can get through. If pass, the next rule is check the IP address. If pass, he/she can get through. Everything is work as expected. My problem is the above rules doesn't check both MAC and IP address pairing. Assume someone spoof other MAC address, they can pass by changing the IP address of another. Another question, if really someone has both valid MAC and IP address, but in fact he/she was a spoofer or man in the middle in the same subnet. How to accomplish this problem, I heard about static ARP table, but not interested to setup that kind of solution. I am thinking about nmap. Which can check against my database about valid Ethernet ID and Operating System being used. Anyone has done this kind of solution? -- Stephen --------------------------------- Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.