From owner-freebsd-stable@FreeBSD.ORG Mon Feb 14 21:01:50 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4788516A4CE for ; Mon, 14 Feb 2005 21:01:50 +0000 (GMT) Received: from mail.wolves.k12.mo.us (duey.wolves.k12.mo.us [207.160.214.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9439343D48 for ; Mon, 14 Feb 2005 21:01:49 +0000 (GMT) (envelope-from cdillon@wolves.k12.mo.us) Received: from localhost (localhost [127.0.0.1]) by mail.wolves.k12.mo.us (Postfix) with ESMTP id 22AE81FE32; Mon, 14 Feb 2005 15:01:49 -0600 (CST) Received: from mail.wolves.k12.mo.us ([127.0.0.1]) by localhost (mail.wolves.k12.mo.us [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 42249-02-28; Mon, 14 Feb 2005 15:01:46 -0600 (CST) Received: by mail.wolves.k12.mo.us (Postfix, from userid 1001) id A60F51FE31; Mon, 14 Feb 2005 15:01:46 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by mail.wolves.k12.mo.us (Postfix) with ESMTP id 9794F1A902; Mon, 14 Feb 2005 15:01:46 -0600 (CST) Date: Mon, 14 Feb 2005 15:01:46 -0600 (CST) From: Chris Dillon To: Artem Kuchin In-Reply-To: <022401c512d7$e0779890$0c00a8c0@artem> Message-ID: <20050214145543.L42760@duey.wolves.k12.mo.us> References: <200502142022.j1EKMl5R092740@lurza.secnetix.de> <022401c512d7$e0779890$0c00a8c0@artem> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: amavisd-new at wolves.k12.mo.us cc: freebsd-stable@FreeBSD.ORG Subject: Re: How to make ipfw consider MAC-IP match? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 21:01:50 -0000 On Mon, 14 Feb 2005, Artem Kuchin wrote: > I have a table with ethernet (MAC) addresses matching IPs. It is > used to build dhcp config file. But regardless of that any user can > assign his neighbour ips while that pc is turned off and use it to > access internet. The local ips are 192.168. and are behind natd. I > am running 5.3-STABLE and have heard that ipfw2 can in someway use > MAC addresses, but how do I setup ipfw in such a way that it allows > certain IP only from one and only one MAC address? I hope you are > getting my idea. What you probably want is static ARP entries. arp -s 192.168.1.1 00:11:22:33:44:55 But that still won't stop someone from changing their IP address and MAC address to match, it just makes it harder. To prevent that kind of thing you need to use 802.1x authentication or maybe even PPPoE. -- Chris Dillon - cdillon(at)wolves.k12.mo.us FreeBSD: The fastest, most open, and most stable OS on the planet - Available for IA32, IA64, AMD64, PC98, Alpha, and UltraSPARC architectures - PowerPC, ARM, MIPS, and S/390 under development - http://www.freebsd.org Q: Because it reverses the logical flow of conversation. A: Why is putting a reply at the top of the message frowned upon?