From owner-freebsd-net@FreeBSD.ORG Thu May 14 07:51:41 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC458106566B for ; Thu, 14 May 2009 07:51:41 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 256B48FC08 for ; Thu, 14 May 2009 07:51:40 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id n4E7pdeS047474; Thu, 14 May 2009 17:51:39 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 14 May 2009 17:51:39 +1000 (EST) From: Ian Smith To: Brett Glass In-Reply-To: <200905140640.AAA25118@lariat.net> Message-ID: <20090514170535.Y46325@sola.nimnet.asn.au> References: <200905131648.KAA15455@lariat.net> <20090514155226.Y46325@sola.nimnet.asn.au> <200905140640.AAA25118@lariat.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: net@freebsd.org Subject: Re: MAC locking and filtering in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2009 07:51:41 -0000 On Thu, 14 May 2009, Brett Glass wrote: > At 12:17 AM 5/14/2009, Ian Smith wrote: > > >You can use fixed leases with MAC specified in dhcp for that, > > This lets you assign specific addresses to machines with specific MAC > addresses. But it doesn't inhibit MAC address "cloning," and the DHCP > server cannot force a machine to use a specific IP or stop it from > using one that was not assigned to it. You can have it only issue a lease for a given IP to a machine with the correct MAC, and issue no leases to any other machines; at least, that works for us. Of course that can't prevent someone who a) knows the IP address to MAC mapping, and b) can spoof the MAC address. I don't know what could prevent that, but it's hardly the common scenario. Then have ipfw refuse traffic from addresses other than those allowed. > >Re ipfw(8), I'm not clear on what your problem is: the section PACKET > >FLOW shows clearly how to distinguish layer 2 from layer 3 traffic. > > The problem is that you cannot test both the MAC address and the IP > address in the same rule -- at least in the current implementation. Assuming you have net.link.ether.ipfw=1 to get layer 2 packets, and are separating your layer 2 packets for testing as shown under PACKET FLOW, can you show us the rule to do just that, that isn't working right? > >Your 'vice versa' here isn't correct; you can select by layer 3 criteria > >on packets from ether_demux, > > The docs say that you can't. Please point out where ipfw(8) says that? cheers, Ian