Date: Mon, 14 Feb 2005 15:01:46 -0600 (CST) From: Chris Dillon <cdillon@wolves.k12.mo.us> To: Artem Kuchin <matrix@itlegion.ru> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: How to make ipfw consider MAC-IP match? Message-ID: <20050214145543.L42760@duey.wolves.k12.mo.us> In-Reply-To: <022401c512d7$e0779890$0c00a8c0@artem> References: <200502142022.j1EKMl5R092740@lurza.secnetix.de> <022401c512d7$e0779890$0c00a8c0@artem>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 14 Feb 2005, Artem Kuchin wrote: > I have a table with ethernet (MAC) addresses matching IPs. It is > used to build dhcp config file. But regardless of that any user can > assign his neighbour ips while that pc is turned off and use it to > access internet. The local ips are 192.168. and are behind natd. I > am running 5.3-STABLE and have heard that ipfw2 can in someway use > MAC addresses, but how do I setup ipfw in such a way that it allows > certain IP only from one and only one MAC address? I hope you are > getting my idea. What you probably want is static ARP entries. arp -s 192.168.1.1 00:11:22:33:44:55 But that still won't stop someone from changing their IP address and MAC address to match, it just makes it harder. To prevent that kind of thing you need to use 802.1x authentication or maybe even PPPoE. -- Chris Dillon - cdillon(at)wolves.k12.mo.us FreeBSD: The fastest, most open, and most stable OS on the planet - Available for IA32, IA64, AMD64, PC98, Alpha, and UltraSPARC architectures - PowerPC, ARM, MIPS, and S/390 under development - http://www.freebsd.org Q: Because it reverses the logical flow of conversation. A: Why is putting a reply at the top of the message frowned upon?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050214145543.L42760>