Date: Wed, 13 May 2009 22:14:48 +0300 From: Stefan Lambrev <stefan.lambrev@moneybookers.com> To: Brett Glass <brett@lariat.net> Cc: net@freebsd.org Subject: Re: MAC locking and filtering in FreeBSD Message-ID: <F654B550-54F2-4AAB-91B1-8490E04E44ED@moneybookers.com> In-Reply-To: <200905131903.NAA17981@lariat.net> References: <200905131648.KAA15455@lariat.net> <5AFBEB69-C59A-4F61-96BE-11E30872A428@moneybookers.com> <200905131903.NAA17981@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On May 13, 2009, at 10:03 PM, Brett Glass wrote: > Stefan: > > You are correct: This is not real security. In fact, I would argue > that it's not security at all. > > But many businesses that have to maintain hotspots -- especially > some hotel chains -- are "allergic" to any sort of serious security. > This is because a small but vocal subset of their customers just > want to get on the Net and complain about any sort of security. Even > having to enter a password or a WEP key irks them. (I personally > think that these people are ignorant fools and are setting > themselves up for identity theft and worse, but that's just me. And > the businesses seem more willing to allow piracy of their Wi-Fi than > to irritate these boneheads.) Also, these systems have to be usable > by some fairly lame devices -- e.g. an XBox -- that aren't really > computers and don't have the capability to run secure protocols or > even a particularly good Web browser built in. > > So, painful as it is, I have to help these guys implement systems > which "bless" MAC addresses. The "arp -s" command can sort of lock > an IP to a MAC address, but awkwardly and only for outbound packets. > What I'd like is to get this into the firewall, so I can not only > block spoofing but trigger a log entry when it happens. I think /usr/ports/net-mgmt/arpwatch will be helpful then, though I never used in on wireless. Not that I understand how "knowing" mac address is easier for customers then wpa2 password ;) > > --Brett > > At 12:46 PM 5/13/2009, Stefan Lambrev wrote: > >> Hi, >> >> apr -S (or -s) is not helping? >> Have in mind that this is not a real security as it's very easy to >> change your MAC. >> >> On May 13, 2009, at 7:48 PM, Brett Glass wrote: >> >>> I need to find a way to do "MAC address locking" in FreeBSD -- >>> that is, to ensure that only a machine with a particular MAC >>> address can use a particular IP address. Unfortunately, it appears >>> that rules in FreeBSD's IPFW are "stuck" on one layer: rules that >>> look at Layer 2 information in a packet can't look at Layer 3, and >>> vice versa. Is there a way to work around this to do MAC address >>> locking and/or other functions that involve looking at Layer 2 and >>> Layer 3 simultaneously? >>> >>> --Brett Glass >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org >>> " >> >> -- >> Best Wishes, >> Stefan Lambrev >> ICQ# 24134177 >> >> >> >> -- Best Wishes, Stefan Lambrev ICQ# 24134177
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F654B550-54F2-4AAB-91B1-8490E04E44ED>