Date: 08 Sep 2003 09:14:09 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com> To: freebsd-questions@freebsd.org Subject: Re: Binding MAC to IP Statically Message-ID: <443cf7ifry.fsf@be-well.ilk.org> In-Reply-To: <20030908075004.GA21373@telecom.sarkor.uz> References: <00aa01c3757a$bf2b9430$0b4e1151@blackbox> <3F5B9086.9020404@mac.com> <447k4kgrt7.fsf@be-well.ilk.org> <20030908075004.GA21373@telecom.sarkor.uz>
next in thread | previous in thread | raw e-mail | index | archive | help
thor@telecom.sarkor.uz (Timur) writes: > no, it doesn't.. what it does - establishing static mapping from IP to > MAC address.. Now I'm facing the same problem as original poster - how > can I prevent users from changing their IP address to some other (from > the same subnet)?.. Let's say I have a network 192.168.1.0/24.. I have > few users - 192.168.1.{3,4,5}.. How can I prevent one user from > changing his ip from 192.168.1.3 to 192.168.1.5? Now I see only one > solution - use 'arp' command to statically assign MACs to used IP > addresses and block traffic to unused IP addresses, but this looks a > little ugly :) What I'd like to is to be able to assign unused IP > addresses to some 'invalid' MAC address, so that my router responds with > 'host unreachable' to incoming packets destined to these addresses.. Yeah, that's true. My approach is to explicitly firewall off all of the unused addresses. > but.. there would be a tradeoff between having a large arp table and > lot's of firewall rules. Somewhat, but less than you'd think. You need ARP entries for all of the in-use addresses, anyway. What I do on my own network is to keep the subnet as small as possible, to minimize the number of unused addresses.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443cf7ifry.fsf>