From owner-freebsd-questions@FreeBSD.ORG Mon Sep 8 01:02:41 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D729416A4BF for ; Mon, 8 Sep 2003 01:02:41 -0700 (PDT) Received: from telecom.sarkor.uz (telecom.sarkor.uz [81.95.226.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DAFA43FB1 for ; Mon, 8 Sep 2003 01:02:41 -0700 (PDT) (envelope-from thor@telecom.sarkor.uz) Received: by telecom.sarkor.uz (Postfix, from userid 1000) id 1E727142E5B; Mon, 8 Sep 2003 12:50:05 +0500 (UZT) Date: Mon, 8 Sep 2003 12:50:04 +0500 To: Lowell Gilbert Message-ID: <20030908075004.GA21373@telecom.sarkor.uz> References: <00aa01c3757a$bf2b9430$0b4e1151@blackbox> <3F5B9086.9020404@mac.com> <447k4kgrt7.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <447k4kgrt7.fsf@be-well.ilk.org> User-Agent: Mutt/1.3.28i From: thor@telecom.sarkor.uz (Timur) cc: freebsd-questions@freebsd.org Subject: Re: Binding MAC to IP Statically X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2003 08:02:42 -0000 On Sun, Sep 07, 2003 at 06:24:52PM -0400, Lowell Gilbert wrote: > Chuck Swiger writes: > > > Colin Watson wrote: > > [ ...rewrapped to 80-columns... ] > > > Any way to bind a MAC address statically to an IP?. I wish to do this to > > > prevent a user from changing his IP address on the subnet, so if he does he > > > can't pass traffic. I have experimented with ipfw, but I can't quite see how > > > I could accomplish the binding of a IP statically to a nic's MAC. Any ideas > > > be appericated. > > > > IPFW2 lets you perform firewall actions on a MAC address, rather than an IP. > > > > You can configure a DHCP server to staticly allocate an IP address to > > that machine via something like this in {/usr/local}/etc/dhcpd.conf: > > > > host pi.codefab.com { > > hardware ethernet 00:00:00:00:00:00; > > fixed-address 66.234.138.67; > > } > > To be complete: > The arp(8) command does literally what was asked for. no, it doesn't.. what it does - establishing static mapping from IP to MAC address.. Now I'm facing the same problem as original poster - how can I prevent users from changing their IP address to some other (from the same subnet)?.. Let's say I have a network 192.168.1.0/24.. I have few users - 192.168.1.{3,4,5}.. How can I prevent one user from changing his ip from 192.168.1.3 to 192.168.1.5? Now I see only one solution - use 'arp' command to statically assign MACs to used IP addresses and block traffic to unused IP addresses, but this looks a little ugly :) What I'd like to is to be able to assign unused IP addresses to some 'invalid' MAC address, so that my router responds with 'host unreachable' to incoming packets destined to these addresses.. but.. there would be a tradeoff between having a large arp table and lot's of firewall rules.