From owner-freebsd-net@FreeBSD.ORG Wed May 13 22:08:33 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C89A1065678 for ; Wed, 13 May 2009 22:08:33 +0000 (UTC) (envelope-from chris@hitnet.RWTH-Aachen.DE) Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by mx1.freebsd.org (Postfix) with ESMTP id ED5578FC30 for ; Wed, 13 May 2009 22:08:32 +0000 (UTC) (envelope-from chris@hitnet.RWTH-Aachen.DE) MIME-version: 1.0 Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KJL00LSLQS6B760@mta-1.ms.rz.RWTH-Aachen.de> for net@freebsd.org; Wed, 13 May 2009 23:38:30 +0200 (CEST) X-IronPort-AV: E=Sophos;i="4.41,190,1241388000"; d="scan'208";a="11809311" Received: from smarthost-2.ms.rz.rwth-aachen.de (HELO smarthost.rwth-aachen.de) ([134.130.7.90]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Wed, 13 May 2009 23:38:28 +0200 Received: from bigboss.hitnet.rwth-aachen.de (bigspace.hitnet.RWTH-Aachen.DE [137.226.181.2]) by smarthost.rwth-aachen.de (8.13.8+Sun/8.13.8/1) with ESMTP id n4DLcULI000961; Wed, 13 May 2009 23:38:30 +0200 (CEST) Received: from haakonia.hitnet.rwth-aachen.de ([137.226.181.92]) by bigboss.hitnet.rwth-aachen.de with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1M4M9m-00017b-7y; Wed, 13 May 2009 23:38:30 +0200 Received: by haakonia.hitnet.rwth-aachen.de (Postfix, from userid 1001) id DBD2E3F41B; Wed, 13 May 2009 23:38:29 +0200 (CEST) Date: Wed, 13 May 2009 23:38:29 +0200 From: Christian Brueffer To: Brett Glass Message-id: <20090513213829.GA1248@haakonia.hitnet.RWTH-Aachen.DE> References: <200905131648.KAA15455@lariat.net> <5AFBEB69-C59A-4F61-96BE-11E30872A428@moneybookers.com> <200905131903.NAA17981@lariat.net> Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary=3MwIy2ne0vdjdPXF Content-disposition: inline In-reply-to: <200905131903.NAA17981@lariat.net> X-Operating-System: FreeBSD 6.4-STABLE X-PGP-Key: http://people.FreeBSD.org/~brueffer/brueffer.key.asc X-PGP-Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D User-Agent: Mutt/1.5.11 Cc: net@freebsd.org, Stefan Lambrev Subject: Re: MAC locking and filtering in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2009 22:08:33 -0000 --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 13, 2009 at 01:03:20PM -0600, Brett Glass wrote: > Stefan: >=20 > You are correct: This is not real security. In fact, I would argue that i= t's not security at all.=20 >=20 > But many businesses that have to maintain hotspots -- especially some hot= el chains -- are "allergic" to any sort of serious security. This is becaus= e a small but vocal subset of their customers just want to get on the Net a= nd complain about any sort of security. Even having to enter a password or = a WEP key irks them. (I personally think that these people are ignorant foo= ls and are setting themselves up for identity theft and worse, but that's j= ust me. And the businesses seem more willing to allow piracy of their Wi-Fi= than to irritate these boneheads.) Also, these systems have to be usable b= y some fairly lame devices -- e.g. an XBox -- that aren't really computers = and don't have the capability to run secure protocols or even a particularl= y good Web browser built in. >=20 > So, painful as it is, I have to help these guys implement systems which "= bless" MAC addresses. The "arp -s" command can sort of lock an IP to a MAC = address, but awkwardly and only for outbound packets. What I'd like is to g= et this into the firewall, so I can not only block spoofing but trigger a l= og entry when it happens. >=20 Sounds like wlan_acl(4) may be of interest to you. - Christian --=20 Christian Brueffer chris@unixpages.org brueffer@FreeBSD.org GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFKCz3VbHYXjKDtmC0RApELAKCgQVZjuEzXrcxJ/eNgOGYyVjGTCgCg9uHI 5CHvSngxLAoXZMH8JTzFN4k= =ma8f -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF--