Date: Mon, 8 Sep 2003 12:50:04 +0500 From: thor@telecom.sarkor.uz (Timur) To: Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com> Cc: freebsd-questions@freebsd.org Subject: Re: Binding MAC to IP Statically Message-ID: <20030908075004.GA21373@telecom.sarkor.uz> In-Reply-To: <447k4kgrt7.fsf@be-well.ilk.org> References: <00aa01c3757a$bf2b9430$0b4e1151@blackbox> <3F5B9086.9020404@mac.com> <447k4kgrt7.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 07, 2003 at 06:24:52PM -0400, Lowell Gilbert wrote:
> Chuck Swiger <cswiger@mac.com> writes:
> 
> > Colin Watson wrote:
> > [ ...rewrapped to 80-columns... ]
> > > Any way to bind a MAC address statically to an IP?. I wish to do this to
> > > prevent a user from changing his IP address on the subnet, so if he does he
> > > can't pass traffic. I have experimented with ipfw, but I can't quite see how
> > > I could accomplish the binding of a IP statically to a nic's MAC. Any ideas
> > > be appericated.
> > 
> > IPFW2 lets you perform firewall actions on a MAC address, rather than an IP.
> > 
> > You can configure a DHCP server to staticly allocate an IP address to
> > that machine via something like this in {/usr/local}/etc/dhcpd.conf:
> > 
> > host pi.codefab.com {
> >          hardware ethernet 00:00:00:00:00:00;
> >          fixed-address 66.234.138.67;
> > }
> 
> To be complete:
> The arp(8) command does literally what was asked for.
no, it doesn't..  what it does - establishing static mapping from IP to
MAC address..  Now I'm facing the same problem as original poster - how
can I prevent users from changing their IP address to some other (from
the same subnet)?..  Let's say I have a network 192.168.1.0/24.. I have
few users - 192.168.1.{3,4,5}..  How can I prevent one user from
changing his ip from 192.168.1.3 to 192.168.1.5?  Now I see only one
solution - use 'arp' command to statically assign MACs to used IP
addresses and block traffic to unused IP addresses, but this looks a
little ugly :)  What I'd like to is to be able to assign unused IP
addresses to some 'invalid' MAC address, so that my router responds with
'host unreachable' to incoming packets destined to these addresses..
but.. there would be a tradeoff between having a large arp table and
lot's of firewall rules.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030908075004.GA21373>
