From owner-freebsd-net@FreeBSD.ORG Fri Mar 24 11:24:35 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94BD116A400 for ; Fri, 24 Mar 2006 11:24:35 +0000 (UTC) (envelope-from xds@LanGame.Net) Received: from mail.langame.net (netmail.langame.net [80.80.128.59]) by mx1.FreeBSD.org (Postfix) with SMTP id AC14543D48 for ; Fri, 24 Mar 2006 11:24:34 +0000 (GMT) (envelope-from xds@LanGame.Net) Received: (qmail 52507 invoked by uid 0); 24 Mar 2006 13:21:20 +0200 Received: from 80.80.128.68 by MAILMAN.LanGame.Net (envelope-from , uid 0) with qmail-scanner-1.25 (clamdscan: 0.88/1244. spamassassin: 3.1.0. Clear:RC:1(80.80.128.68):. Processed in 0.047187 secs); 24 Mar 2006 11:21:20 -0000 X-Qmail-Scanner-Mail-From: xds@LanGame.Net via MAILMAN.LanGame.Net X-Qmail-Scanner: 1.25 (Clear:RC:1(80.80.128.68):. Processed in 0.047187 secs) Received: from unknown (HELO ?80.80.128.68?) (xds%langame.net@80.80.128.68) by netmail.langame.net with SMTP; 24 Mar 2006 13:21:20 +0200 Message-ID: <4423D739.1020607@LanGame.Net> Date: Fri, 24 Mar 2006 13:25:45 +0200 From: Atanas Yankov User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050729) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20060324060140.86793.qmail@web51615.mail.yahoo.com> <4423BE70.2010807@wm-access.no> <4423CBD5.2040208@ide.resurscentrum.se> In-Reply-To: <4423CBD5.2040208@ide.resurscentrum.se> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: How do you keep users from stealing other user's ip?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Mar 2006 11:24:35 -0000 Port security will help you when you want to ensure that particular mac address is enter switch on particular port but not prevent user to change ip address , statics arp is the most stupid part that most administrators does becouse router never send arp request to see are this device are there and blindly send traffic for this device encapsulated with static mac that not exist in bridging tables and this traffic is unknow unicast flooded accross the all switches bridges :)) and all devices , impact can be vary on value of sended traffic :)) , my suggestions is to use cisco multihost 802.1x implementation or play with private vlans . br, CCNP Atanas Yankov Network Administrator AngelSoft Ltd. Jon Otterholm wrote: > To prevent users from MAC-spoofing - buy a switch with some kind of > "port-security". If you could lock down a port to just one MAC and > have a static ARP on the router it would be pretty hard to spoof the > MAC-address. With another MAC than the one associated with the port > you simply will not be able to talk to anyone. > To take security one step further you could use some kind of RADIUS > authentication (MAC/user/computer/??). > > Dlink 3526/3550 have these functions. In addition you could lock down > the switch so that "user-ports" only could talk to the uplink port and > never with each other. > > > And NO - I am not a Dlink employee, just a big fan. > > /Jon > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >