From owner-freebsd-ipfw@FreeBSD.ORG  Fri Sep  7 17:25:11 2007
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F32F016A419
	for <freebsd-ipfw@freebsd.org>; Fri,  7 Sep 2007 17:25:10 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.freebsd.org (Postfix) with ESMTP id CCBCE13C46A
	for <freebsd-ipfw@freebsd.org>; Fri,  7 Sep 2007 17:25:10 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by pi.codefab.com (Postfix) with ESMTP id EE4A85C78;
	Fri,  7 Sep 2007 12:53:12 -0400 (EDT)
X-Virus-Scanned: amavisd-new at codefab.com
Received: from pi.codefab.com ([127.0.0.1])
	by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 26pgT6tIWmQR; Fri,  7 Sep 2007 12:53:10 -0400 (EDT)
Received: from [192.168.1.3] (pool-71-190-65-187.nycmny.east.verizon.net
	[71.190.65.187])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pi.codefab.com (Postfix) with ESMTP id 1F3D15C19;
	Fri,  7 Sep 2007 12:53:10 -0400 (EDT)
Message-ID: <46E181F1.2030404@mac.com>
Date: Fri, 07 Sep 2007 12:53:05 -0400
From: Chuck Swiger <cswiger@mac.com>
User-Agent: Thunderbird 1.5.0.13 (Windows/20070809)
MIME-Version: 1.0
To: Stephen GL <kansas_le@yahoo.com>
References: <456319.24028.qm@web56801.mail.re3.yahoo.com>
In-Reply-To: <456319.24028.qm@web56801.mail.re3.yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-ipfw@freebsd.org
Subject: Re: Allow only match both mac address and IP address
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Sep 2007 17:25:11 -0000

Stephen GL wrote:
[ ... ]
> I am very new about IPFW. I'm in FreeBSD 6.0.
> My job is pass anyone that has a valid both MAC and IP address.
> Beginning of my rule I check the valid MAC address that can get through.
> If pass, the next rule is check the IP address.
> If pass, he/she can get through.
> 
> Everything is work as expected. My problem is the above rules doesn't check
> both MAC and IP address pairing.  Assume someone spoof other MAC address, they
> can pass by changing the IP address of another.

The way to deal with people who screw up your network by spoofing the MAC and 
IP address of another machine is to fire them or drop them as a customer, 
depending on the relationship.

However, if you really need to provide IP access to people whom you can't 
trust not to play such games, consider switching to something which requires 
authentication, such as PPPoE.

-- 
-Chuck