Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 May 2009 17:51:39 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Brett Glass <brett@lariat.net>
Cc:        net@freebsd.org
Subject:   Re: MAC locking and filtering in FreeBSD
Message-ID:  <20090514170535.Y46325@sola.nimnet.asn.au>
In-Reply-To: <200905140640.AAA25118@lariat.net>
References:  <200905131648.KAA15455@lariat.net> <20090514155226.Y46325@sola.nimnet.asn.au> <200905140640.AAA25118@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 14 May 2009, Brett Glass wrote:
 > At 12:17 AM 5/14/2009, Ian Smith wrote:
 >  
 > >You can use fixed leases with MAC specified in dhcp for that, 
 > 
 > This lets you assign specific addresses to machines with specific MAC 
 > addresses. But it doesn't inhibit MAC address "cloning," and the DHCP 
 > server cannot force a machine to use a specific IP or stop it from 
 > using one that was not assigned to it.

You can have it only issue a lease for a given IP to a machine with the 
correct MAC, and issue no leases to any other machines; at least, that 
works for us.  Of course that can't prevent someone who a) knows the IP 
address to MAC mapping, and b) can spoof the MAC address.  I don't know 
what could prevent that, but it's hardly the common scenario.

Then have ipfw refuse traffic from addresses other than those allowed.

 > >Re ipfw(8), I'm not clear on what your problem is: the section PACKET 
 > >FLOW shows clearly how to distinguish layer 2 from layer 3 traffic.
 > 
 > The problem is that you cannot test both the MAC address and the IP 
 > address in the same rule -- at least in the current implementation.

Assuming you have net.link.ether.ipfw=1 to get layer 2 packets, and are 
separating your layer 2 packets for testing as shown under PACKET FLOW, 
can you show us the rule to do just that, that isn't working right?

 > >Your 'vice versa' here isn't correct; you can select by layer 3 criteria 
 > >on packets from ether_demux, 
 > 
 > The docs say that you can't.

Please point out where ipfw(8) says that?

cheers, Ian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090514170535.Y46325>