Date: Tue, 15 Feb 2005 01:00:57 +0300 From: "Artem Kuchin" <matrix@itlegion.ru> To: "Chris Dillon" <cdillon@wolves.k12.mo.us> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: How to make ipfw consider MAC-IP match? Message-ID: <024501c512e0$aa382e30$0c00a8c0@artem> References: <200502142022.j1EKMl5R092740@lurza.secnetix.de> <022401c512d7$e0779890$0c00a8c0@artem> <20050214145543.L42760@duey.wolves.k12.mo.us>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Dillon <cdillon@wolves.k12.mo.us> wrote: > On Mon, 14 Feb 2005, Artem Kuchin wrote: > >> I have a table with ethernet (MAC) addresses matching IPs. It is >> used to build dhcp config file. But regardless of that any user can >> assign his neighbour ips while that pc is turned off and use it to >> access internet. The local ips are 192.168. and are behind natd. I >> am running 5.3-STABLE and have heard that ipfw2 can in someway use >> MAC addresses, but how do I setup ipfw in such a way that it allows >> certain IP only from one and only one MAC address? I hope you are >> getting my idea. > > What you probably want is static ARP entries. > > arp -s 192.168.1.1 00:11:22:33:44:55 > > But that still won't stop someone from changing their IP address and > MAC address to match, it just makes it harder. To prevent that kind > of thing you need to use 802.1x authentication or maybe even PPPoE. Um.. I just have read tutorial about PPPoE and did not find anything about matching IP and MAC addresses. So, if i use PPPoE i still need to do static ARP (i did not undestrand, how i somebody can match mac and ip with static arp except that he actually get the physical NIC from somebody's computer). Also, as i see, users on PPPoE can login from any computer and get their IP address.It will not work because of static arp, but still, there are getting their address. And the last thing, if i am to migrate to PPPoE this basically means i will need to give up DHCP, because PPP will serve IPs, not DHCP. Right? And now the theory question. While i am running pppoe server on some ethernet interface what disallows any user to use that interface as a ip gateway without any pppoe? Just assigned themselves an ip, ignoring pppoe and using the server as a gateway. I am probably missing some point here. -- Regards, Artem Kuchin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?024501c512e0$aa382e30$0c00a8c0>