From owner-freebsd-net@FreeBSD.ORG Wed May 13 19:14:56 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46FCB106566C for ; Wed, 13 May 2009 19:14:56 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id 661578FC16 for ; Wed, 13 May 2009 19:14:54 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id E445A1B135C5; Wed, 13 May 2009 21:14:53 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on malcho.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.6 required=5.0 tests=ALL_TRUSTED,BAYES_00, HTML_MESSAGE autolearn=ham version=3.2.5 Received: from postal.dev.moneybookers.net (postal.dev.moneybookers.net [192.168.3.200]) by blah.sun-fish.com (Postfix) with ESMTP id 427DA1B135C8; Wed, 13 May 2009 21:14:51 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by postal.dev.moneybookers.net (Postfix) with ESMTP id 50272936A39; Wed, 13 May 2009 21:13:38 +0200 (CEST) X-Virus-Scanned: amavisd-new at moneybookers.com Received: from postal.dev.moneybookers.net ([127.0.0.1]) by localhost (postal.dev.moneybookers.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 9Df7uvaka3JM; Wed, 13 May 2009 21:13:35 +0200 (CEST) Received: from [10.1.1.3] (unknown [192.168.25.10]) by postal.dev.moneybookers.net (Postfix) with ESMTP id D0647935B7B; Wed, 13 May 2009 21:13:35 +0200 (CEST) Message-Id: From: Stefan Lambrev To: Brett Glass In-Reply-To: <200905131903.NAA17981@lariat.net> Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 13 May 2009 22:14:48 +0300 References: <200905131648.KAA15455@lariat.net> <5AFBEB69-C59A-4F61-96BE-11E30872A428@moneybookers.com> <200905131903.NAA17981@lariat.net> X-Mailer: Apple Mail (2.930.3) X-Virus-Scanned: ClamAV 0.94/9356/Wed May 13 01:38:29 2009 on blah.cmotd.com X-Virus-Status: Clean Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: net@freebsd.org Subject: Re: MAC locking and filtering in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2009 19:14:56 -0000 Hi, On May 13, 2009, at 10:03 PM, Brett Glass wrote: > Stefan: > > You are correct: This is not real security. In fact, I would argue > that it's not security at all. > > But many businesses that have to maintain hotspots -- especially > some hotel chains -- are "allergic" to any sort of serious security. > This is because a small but vocal subset of their customers just > want to get on the Net and complain about any sort of security. Even > having to enter a password or a WEP key irks them. (I personally > think that these people are ignorant fools and are setting > themselves up for identity theft and worse, but that's just me. And > the businesses seem more willing to allow piracy of their Wi-Fi than > to irritate these boneheads.) Also, these systems have to be usable > by some fairly lame devices -- e.g. an XBox -- that aren't really > computers and don't have the capability to run secure protocols or > even a particularly good Web browser built in. > > So, painful as it is, I have to help these guys implement systems > which "bless" MAC addresses. The "arp -s" command can sort of lock > an IP to a MAC address, but awkwardly and only for outbound packets. > What I'd like is to get this into the firewall, so I can not only > block spoofing but trigger a log entry when it happens. I think /usr/ports/net-mgmt/arpwatch will be helpful then, though I never used in on wireless. Not that I understand how "knowing" mac address is easier for customers then wpa2 password ;) > > --Brett > > At 12:46 PM 5/13/2009, Stefan Lambrev wrote: > >> Hi, >> >> apr -S (or -s) is not helping? >> Have in mind that this is not a real security as it's very easy to >> change your MAC. >> >> On May 13, 2009, at 7:48 PM, Brett Glass wrote: >> >>> I need to find a way to do "MAC address locking" in FreeBSD -- >>> that is, to ensure that only a machine with a particular MAC >>> address can use a particular IP address. Unfortunately, it appears >>> that rules in FreeBSD's IPFW are "stuck" on one layer: rules that >>> look at Layer 2 information in a packet can't look at Layer 3, and >>> vice versa. Is there a way to work around this to do MAC address >>> locking and/or other functions that involve looking at Layer 2 and >>> Layer 3 simultaneously? >>> >>> --Brett Glass >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org >>> " >> >> -- >> Best Wishes, >> Stefan Lambrev >> ICQ# 24134177 >> >> >> >> -- Best Wishes, Stefan Lambrev ICQ# 24134177