From owner-freebsd-net@FreeBSD.ORG  Thu May 14 06:41:17 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 31B4B106566C
	for <net@freebsd.org>; Thu, 14 May 2009 06:41:17 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from lariat.net (lariat.net [66.119.58.2])
	by mx1.freebsd.org (Postfix) with ESMTP id C0E488FC08
	for <net@freebsd.org>; Thu, 14 May 2009 06:41:16 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from anne-o1dpaayth1.lariat.net (IDENT:ppp1000.lariat.net@lariat.net
	[66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id AAA25118;
	Thu, 14 May 2009 00:40:59 -0600 (MDT)
Message-Id: <200905140640.AAA25118@lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 14 May 2009 00:40:39 -0600
To: Ian Smith <smithi@nimnet.asn.au>
From: Brett Glass <brett@lariat.net>
In-Reply-To: <20090514155226.Y46325@sola.nimnet.asn.au>
References: <200905131648.KAA15455@lariat.net>
	<20090514155226.Y46325@sola.nimnet.asn.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: net@freebsd.org
Subject: Re: MAC locking and filtering in FreeBSD
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2009 06:41:17 -0000

At 12:17 AM 5/14/2009, Ian Smith wrote:
 
>You can use fixed leases with MAC specified in dhcp for that, 

This lets you assign specific addresses to machines with specific MAC addresses. But it doesn't inhibit MAC address "cloning," and the DHCP server cannot force a machine to use a specific IP or stop it from using one that was not assigned to it.

>Re ipfw(8), I'm not clear on what your problem is: the section PACKET 
>FLOW shows clearly how to distinguish layer 2 from layer 3 traffic.

The problem is that you cannot test both the MAC address and the IP address in the same rule -- at least in the current implementation.

>Your 'vice versa' here isn't correct; you can select by layer 3 criteria 
>on packets from ether_demux, 

The docs say that you can't.

--Brett Glass