From owner-freebsd-stable@FreeBSD.ORG Tue Feb 15 22:55:09 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6426216A4CE for ; Tue, 15 Feb 2005 22:55:09 +0000 (GMT) Received: from osiris.itlegion.ru (osiris.itlegion.ru [84.21.226.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BF8443D48 for ; Tue, 15 Feb 2005 22:55:08 +0000 (GMT) (envelope-from matrix@itlegion.ru) Received: from artem ([192.168.0.12]) by osiris.itlegion.ru (8.13.1/8.13.1) with SMTP id j1FMsqIA083861; Wed, 16 Feb 2005 01:54:52 +0300 (MSK) (envelope-from matrix@itlegion.ru) X-AntiVirus: Checked by Dr.Web [version: 4.32b, engine: 4.32b, virus records: 65460, updated: 15.02.2005] Message-ID: <000e01c513b2$1afde340$0c00a8c0@artem> From: "Artem Kuchin" To: "Scot Hetzel" References: <200502142022.j1EKMl5R092740@lurza.secnetix.de> <022401c512d7$e0779890$0c00a8c0@artem> <790a9fff05021513124e6a016b@mail.gmail.com> Date: Wed, 16 Feb 2005 02:00:05 +0300 Organization: IT Legion MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-stable@freebsd.org Subject: Re: How to make ipfw consider MAC-IP match? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 22:55:09 -0000 Scot Hetzel wrote: > On Mon, 14 Feb 2005 23:58:03 +0300, Artem Kuchin > wrote: >> Hi! >> >> I have a table with ethernet (MAC) addresses matching IPs. It is >> used to build dhcp config file. But regardless of that any user can >> assign his neighbour ips while that pc is turned off and use it to >> access internet. The local ips are 192.168. and are behind natd. >> I am running 5.3-STABLE and have heard that ipfw2 can in someway >> use MAC addresses, but how do I setup ipfw in such a way that >> it allows certain IP only from one and only one MAC address? >> I hope you are getting my idea. >> > You would add the following to the end of your IPFW rule for each IP > Address you want to restrict. > > pass all from 192.168.0.10 to any mac any 10:20:30:40:50:60 > > Where "10:20:30:40:50:60" is the MAC addr for IP addr 192.168.0.10. I have tried static arp today and it seems like it works. As others mentions, it is possible SOMETIMES to change mac address of a nic, so static arp may fail as well as this firewall rule. So, i am wondering which method is better static arp entries or ipfw rules? Artem