From owner-freebsd-stable@FreeBSD.ORG Mon Feb 14 21:55:50 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FEAA16A4CE for ; Mon, 14 Feb 2005 21:55:50 +0000 (GMT) Received: from osiris.itlegion.ru (osiris.itlegion.ru [84.21.226.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59C2D43D2F for ; Mon, 14 Feb 2005 21:55:49 +0000 (GMT) (envelope-from matrix@itlegion.ru) Received: from artem ([192.168.0.12]) by osiris.itlegion.ru (8.13.1/8.13.1) with SMTP id j1ELtbjM075012; Tue, 15 Feb 2005 00:55:37 +0300 (MSK) (envelope-from matrix@itlegion.ru) X-AntiVirus: Checked by Dr.Web [version: 4.32b, engine: 4.32b, virus records: 65366, updated: 14.02.2005] Message-ID: <024501c512e0$aa382e30$0c00a8c0@artem> From: "Artem Kuchin" To: "Chris Dillon" References: <200502142022.j1EKMl5R092740@lurza.secnetix.de> <022401c512d7$e0779890$0c00a8c0@artem> <20050214145543.L42760@duey.wolves.k12.mo.us> Date: Tue, 15 Feb 2005 01:00:57 +0300 Organization: IT Legion MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-stable@FreeBSD.ORG Subject: Re: How to make ipfw consider MAC-IP match? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 21:55:50 -0000 Chris Dillon wrote: > On Mon, 14 Feb 2005, Artem Kuchin wrote: > >> I have a table with ethernet (MAC) addresses matching IPs. It is >> used to build dhcp config file. But regardless of that any user can >> assign his neighbour ips while that pc is turned off and use it to >> access internet. The local ips are 192.168. and are behind natd. I >> am running 5.3-STABLE and have heard that ipfw2 can in someway use >> MAC addresses, but how do I setup ipfw in such a way that it allows >> certain IP only from one and only one MAC address? I hope you are >> getting my idea. > > What you probably want is static ARP entries. > > arp -s 192.168.1.1 00:11:22:33:44:55 > > But that still won't stop someone from changing their IP address and > MAC address to match, it just makes it harder. To prevent that kind > of thing you need to use 802.1x authentication or maybe even PPPoE. Um.. I just have read tutorial about PPPoE and did not find anything about matching IP and MAC addresses. So, if i use PPPoE i still need to do static ARP (i did not undestrand, how i somebody can match mac and ip with static arp except that he actually get the physical NIC from somebody's computer). Also, as i see, users on PPPoE can login from any computer and get their IP address.It will not work because of static arp, but still, there are getting their address. And the last thing, if i am to migrate to PPPoE this basically means i will need to give up DHCP, because PPP will serve IPs, not DHCP. Right? And now the theory question. While i am running pppoe server on some ethernet interface what disallows any user to use that interface as a ip gateway without any pppoe? Just assigned themselves an ip, ignoring pppoe and using the server as a gateway. I am probably missing some point here. -- Regards, Artem Kuchin