From owner-freebsd-security Wed Jul 7 7:47:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from vital.bleeding.com (vital.bleeding.com [206.251.12.170]) by hub.freebsd.org (Postfix) with ESMTP id 7BF5F14C99 for ; Wed, 7 Jul 1999 07:47:22 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Received: from crimson (crimson [144.254.195.6]) by vital.bleeding.com (8.9.2/8.9.2) with SMTP id HAA54483; Wed, 7 Jul 1999 07:47:14 -0700 (PDT) (envelope-from jjwolf@bleeding.com) From: "Justin Wolf" To: "Josef Karthauser" , "Stephen D. Spencer" Cc: Subject: RE: your mail Date: Wed, 7 Jul 1999 07:24:51 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <19990707121408.H30024@pavilion.net> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Or a simpler method might be to simply statically add his mac to your ARP >> table with a non-routable IP address. Had to do this on a Cisco. Rather >> simple and is quite amusing to observe customer reactions. :) > That doesn't work! One mac can have multiple IP addresses. All this does > is to stop anyone else using the unroutable ip address. Well any IP address outside of their subnet would essentially be unroutable. If you're not using RFC1918 space anywhere, set it to 10.0.0.1 or something - this is generally ignored by other networks' border routers (such as the ISP). You still need to be able to deny an ARP lookup for that MAC that would allow it to resolve to another IP. Is there no provision in routed or ipfw to filter by MAC address? -Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message