Date: Wed, 13 May 2009 13:03:20 -0600 From: Brett Glass <brett@lariat.net> To: Stefan Lambrev <stefan.lambrev@moneybookers.com> Cc: net@freebsd.org Subject: Re: MAC locking and filtering in FreeBSD Message-ID: <200905131903.NAA17981@lariat.net> In-Reply-To: <5AFBEB69-C59A-4F61-96BE-11E30872A428@moneybookers.com> References: <200905131648.KAA15455@lariat.net> <5AFBEB69-C59A-4F61-96BE-11E30872A428@moneybookers.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Stefan: You are correct: This is not real security. In fact, I would argue that it's not security at all. But many businesses that have to maintain hotspots -- especially some hotel chains -- are "allergic" to any sort of serious security. This is because a small but vocal subset of their customers just want to get on the Net and complain about any sort of security. Even having to enter a password or a WEP key irks them. (I personally think that these people are ignorant fools and are setting themselves up for identity theft and worse, but that's just me. And the businesses seem more willing to allow piracy of their Wi-Fi than to irritate these boneheads.) Also, these systems have to be usable by some fairly lame devices -- e.g. an XBox -- that aren't really computers and don't have the capability to run secure protocols or even a particularly good Web browser built in. So, painful as it is, I have to help these guys implement systems which "bless" MAC addresses. The "arp -s" command can sort of lock an IP to a MAC address, but awkwardly and only for outbound packets. What I'd like is to get this into the firewall, so I can not only block spoofing but trigger a log entry when it happens. --Brett At 12:46 PM 5/13/2009, Stefan Lambrev wrote: >Hi, > >apr -S (or -s) is not helping? >Have in mind that this is not a real security as it's very easy to change your MAC. > >On May 13, 2009, at 7:48 PM, Brett Glass wrote: > >>I need to find a way to do "MAC address locking" in FreeBSD -- that is, to ensure that only a machine with a particular MAC address can use a particular IP address. Unfortunately, it appears that rules in FreeBSD's IPFW are "stuck" on one layer: rules that look at Layer 2 information in a packet can't look at Layer 3, and vice versa. Is there a way to work around this to do MAC address locking and/or other functions that involve looking at Layer 2 and Layer 3 simultaneously? >> >>--Brett Glass >> >>_______________________________________________ >><mailto:freebsd-net@freebsd.org>freebsd-net@freebsd.org mailing list >><http://lists.freebsd.org/mailman/listinfo/freebsd-net>http://lists.freebsd.org/mailman/listinfo/freebsd-net >>To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >-- >Best Wishes, >Stefan Lambrev >ICQ# 24134177 > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200905131903.NAA17981>