From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 6 05:15:03 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD69D16A417 for ; Thu, 6 Sep 2007 05:15:03 +0000 (UTC) (envelope-from chrishome@austin.rr.com) Received: from smtpauth14.prod.mesa1.secureserver.net (smtpauth14.prod.mesa1.secureserver.net [64.202.165.39]) by mx1.freebsd.org (Postfix) with SMTP id 789DF13C458 for ; Thu, 6 Sep 2007 05:15:03 +0000 (UTC) (envelope-from chrishome@austin.rr.com) Received: (qmail 5883 invoked from network); 6 Sep 2007 04:14:47 -0000 Received: from unknown (70.113.73.215) by smtpauth14.prod.mesa1.secureserver.net (64.202.165.39) with ESMTP; 06 Sep 2007 04:14:47 -0000 Message-ID: <46DF7E94.8030208@austin.rr.com> Date: Wed, 05 Sep 2007 23:14:12 -0500 From: "Chris Bowman (Home)" User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Stephen GL References: <456319.24028.qm@web56801.mail.re3.yahoo.com> In-Reply-To: <456319.24028.qm@web56801.mail.re3.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Allow only match both mac address and IP address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 05:15:03 -0000 Stephen GL wrote: > Hi, > > I need help. > I am very new about IPFW. I'm in FreeBSD 6.0. > My job is pass anyone that has a valid both MAC and IP address. > Beginning of my rule I check the valid MAC address that can get through. > If pass, the next rule is check the IP address. > If pass, he/she can get through. > > Everything is work as expected. My problem is the above rules doesn't check both MAC and IP address pairing. Assume someone spoof other MAC address, they can pass by changing the IP address of another. > > Another question, if really someone has both valid MAC and IP address, but in fact he/she was a spoofer or man in the middle in the same subnet. How to accomplish this problem, I heard about static ARP table, but not interested to setup that kind of solution. I am thinking about nmap. Which can check against my database about valid Ethernet ID and Operating System being used. Anyone has done this kind of solution? > > -- > Stephen > > > --------------------------------- > Building a website is a piece of cake. > Yahoo! Small Business gives you all the tools to get online. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > Make sure *net.link.ether.ipfw* is enabled, assuming it is since you said you had it partially working. Then use the following rules as a guidline : -- Outbound Rule -- allow ip from 172.16.100.50 to any MAC any 00:11:22:33:44:55 --Inbound Rule-- allow ip from any to 172.16.100.50 MAC 00:11:22:33:44:55 any Of course it seems your main concern is allowing people out that are indeed authorized, so you could likely make the inbound rule alot more general, something along the lines of : allow ip from any to 172.16.100.0/24 MAC any any Hope that helps! Chris Bowman