From owner-freebsd-questions@FreeBSD.ORG Tue Jul 26 15:01:58 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E6C11065676 for ; Tue, 26 Jul 2011 15:01:58 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout018.mac.com (asmtpout018.mac.com [17.148.16.93]) by mx1.freebsd.org (Postfix) with ESMTP id 565D58FC1C for ; Tue, 26 Jul 2011 15:01:58 +0000 (UTC) MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Received: from [10.1.2.163] ([173.200.178.70]) by asmtp018.mac.com (Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 2010)) with ESMTPSA id <0LOY00D6J4F95820@asmtp018.mac.com> for freebsd-questions@freebsd.org; Tue, 26 Jul 2011 08:01:57 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-07-26_05:2011-07-26, 2011-07-26, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1107260103 From: Chuck Swiger In-reply-to: <39BA5203083441F49B797E0E12C7B03D@desktop2002> Date: Tue, 26 Jul 2011 08:01:56 -0700 Content-transfer-encoding: quoted-printable Message-id: <367840D7-2E33-4849-A990-BB532CEFE590@mac.com> References: <39BA5203083441F49B797E0E12C7B03D@desktop2002> To: =?utf-8?Q?Yavuz_Ma=C5=9Flak?= X-Mailer: Apple Mail (2.1084) Cc: freebsd-questions@freebsd.org Subject: Re: How to deny getting static ip address via pf ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2011 15:01:58 -0000 On Jul 26, 2011, at 3:44 AM, Yavuz Ma=C5=9Flak wrote: > I use pf on freebsd as packet filter. >=20 > I have a wireless area. The users get to the internet using automatic = ip > from the dhcp server.=20 > I wish to deny to assign a static ip address by manual.=20 You can't prevent someone from doing manual configuration. If you were connecting via a smart switch, you can configure MAC address = filtering on each of the switch ports and then use DHCPd to only assign = each MAC to the right range or static IP, and then use an IP-based = firewall to control traffic from there. If a user tried to spoof some = other MAC, the switch would block such traffic. However, with wireless, nothing prevents the users from spoofing other = MACs. Regards, --=20 -Chuck