From owner-freebsd-questions@FreeBSD.ORG Mon Sep 8 06:14:12 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA69816A4BF for ; Mon, 8 Sep 2003 06:14:12 -0700 (PDT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id B5F2343FBF for ; Mon, 8 Sep 2003 06:14:11 -0700 (PDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: from be-well.ilk.org (be-well.no-ip.com[66.30.200.37]) by comcast.net (rwcrmhc11) with ESMTP id <2003090813141001300lt9v2e>; Mon, 8 Sep 2003 13:14:11 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [66.30.200.37] (may be forged)) by be-well.ilk.org (8.12.9/8.12.9) with ESMTP id h88DE9to014732 for ; Mon, 8 Sep 2003 09:14:09 -0400 (EDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h88DE9ER014729; Mon, 8 Sep 2003 09:14:09 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-questions-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: freebsd-questions@freebsd.org References: <00aa01c3757a$bf2b9430$0b4e1151@blackbox> <3F5B9086.9020404@mac.com> <447k4kgrt7.fsf@be-well.ilk.org> <20030908075004.GA21373@telecom.sarkor.uz> From: Lowell Gilbert Date: 08 Sep 2003 09:14:09 -0400 In-Reply-To: <20030908075004.GA21373@telecom.sarkor.uz> Message-ID: <443cf7ifry.fsf@be-well.ilk.org> Lines: 24 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Binding MAC to IP Statically X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2003 13:14:12 -0000 thor@telecom.sarkor.uz (Timur) writes: > no, it doesn't.. what it does - establishing static mapping from IP to > MAC address.. Now I'm facing the same problem as original poster - how > can I prevent users from changing their IP address to some other (from > the same subnet)?.. Let's say I have a network 192.168.1.0/24.. I have > few users - 192.168.1.{3,4,5}.. How can I prevent one user from > changing his ip from 192.168.1.3 to 192.168.1.5? Now I see only one > solution - use 'arp' command to statically assign MACs to used IP > addresses and block traffic to unused IP addresses, but this looks a > little ugly :) What I'd like to is to be able to assign unused IP > addresses to some 'invalid' MAC address, so that my router responds with > 'host unreachable' to incoming packets destined to these addresses.. Yeah, that's true. My approach is to explicitly firewall off all of the unused addresses. > but.. there would be a tradeoff between having a large arp table and > lot's of firewall rules. Somewhat, but less than you'd think. You need ARP entries for all of the in-use addresses, anyway. What I do on my own network is to keep the subnet as small as possible, to minimize the number of unused addresses.