Date: Tue, 26 Jul 2011 11:59:40 -0600 From: "Eric S Pulley" <pulley@dabus.com> To: "Chuck Swiger" <cswiger@mac.com> Cc: =?iso-8859-1?Q?=22Yavuz_Ma=C5=9Flak=22?= <yavuz.maslak@netiletisim.net>, freebsd-questions@freebsd.org Subject: Re: How to deny getting static ip address via pf ? Message-ID: <cc873ccf28cb9ae9ee5aa1d61301e8f0.squirrel@webmail.dabus.com> In-Reply-To: <367840D7-2E33-4849-A990-BB532CEFE590@mac.com> References: <39BA5203083441F49B797E0E12C7B03D@desktop2002> <367840D7-2E33-4849-A990-BB532CEFE590@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, July 26, 2011 9:01 am, Chuck Swiger wrote: > On Jul 26, 2011, at 3:44 AM, Yavuz Maşlak wrote: >> I use pf on freebsd as packet filter. >> >> I have a wireless area. The users get to the internet using automatic ip >> from the dhcp server. >> I wish to deny to assign a static ip address by manual. > > You can't prevent someone from doing manual configuration. > > If you were connecting via a smart switch, you can configure MAC address > filtering on each of the switch ports and then use DHCPd to only assign > each MAC to the right range or static IP, and then use an IP-based > firewall to control traffic from there. If a user tried to spoof some > other MAC, the switch would block such traffic. > > However, with wireless, nothing prevents the users from spoofing other > MACs. > > Regards, > -- > -Chuck > If your purpose is to deny a person the ability to add themselves manually to your local net and then get to other networks this is a perfect example of the use for authpf. Combine authpf with port security on your local switch (if you have that functionality). But they can still spoof their MAC so it doesn't protect the local wifi subnet much. Only thing I know works 100% is to set up a wifi net that is unrouted with nothing in it but a VPN concentrator, once someone connects to the wifi net then they establish an encrypted VPN connection that will route the VPN traffic in/out of the wifi net. Might be an interesting project for someone to add a PKI auth layer to the DHCP protocol if someone hasn't already . I can think of several uses for it. Of course Cisco has something that might work for you: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftdsiaa.html. I'd rather figure something else out than pay them for their crap though.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cc873ccf28cb9ae9ee5aa1d61301e8f0.squirrel>