Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 7 Sep 2007 14:54:06 -0300
From:      AT Matik <>
Cc:        Stephen GL <>
Subject:   Re: Allow only match both mac address and IP address
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Friday 07 September 2007 13:53:05 Chuck Swiger wrote:
> Stephen GL wrote:
> [ ... ]
> > I am very new about IPFW. I'm in FreeBSD 6.0.
> > My job is pass anyone that has a valid both MAC and IP address.
> > Beginning of my rule I check the valid MAC address that can get through.
> > If pass, the next rule is check the IP address.
> > If pass, he/she can get through.
> >
> > Everything is work as expected. My problem is the above rules doesn't
> > check both MAC and IP address pairing.  Assume someone spoof other MAC
> > address, they can pass by changing the IP address of another.
> The way to deal with people who screw up your network by spoofing the MAC
> and IP address of another machine is to fire them or drop them as a
> customer, depending on the relationship.

a completely brilliant solution, technically brilliant, administrationally 
brilliant,  please accept my admiration ...

but we want the customer's money and not drop them man ...

> However, if you really need to provide IP access to people whom you can't
> trust not to play such games, consider switching to something which
> requires authentication, such as PPPoE.

that then cost money for password capslock/lost/forgot/change support ... and 
cost bandwidth overhead or the costumer get less bandwidth as supposed to

back to the point, you need to run your server as bridge then you can drop 
traffic which is not an authorized mac/ip pair as in

deny ip from any to any src-ip ${ip} layer2 not MAC any ${mac} recv ${nic}


A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
Service fornecido pelo Datacenter Matik

Want to link to this message? Use this URL: <>