Date: 08 Sep 2003 09:14:09 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com> To: freebsd-questions@freebsd.org Subject: Re: Binding MAC to IP Statically Message-ID: <443cf7ifry.fsf@be-well.ilk.org> In-Reply-To: <20030908075004.GA21373@telecom.sarkor.uz> References: <00aa01c3757a$bf2b9430$0b4e1151@blackbox> <3F5B9086.9020404@mac.com> <447k4kgrt7.fsf@be-well.ilk.org> <20030908075004.GA21373@telecom.sarkor.uz>
next in thread | previous in thread | raw e-mail | index | archive | help
thor@telecom.sarkor.uz (Timur) writes:
> no, it doesn't.. what it does - establishing static mapping from IP to
> MAC address.. Now I'm facing the same problem as original poster - how
> can I prevent users from changing their IP address to some other (from
> the same subnet)?.. Let's say I have a network 192.168.1.0/24.. I have
> few users - 192.168.1.{3,4,5}.. How can I prevent one user from
> changing his ip from 192.168.1.3 to 192.168.1.5? Now I see only one
> solution - use 'arp' command to statically assign MACs to used IP
> addresses and block traffic to unused IP addresses, but this looks a
> little ugly :) What I'd like to is to be able to assign unused IP
> addresses to some 'invalid' MAC address, so that my router responds with
> 'host unreachable' to incoming packets destined to these addresses..
Yeah, that's true. My approach is to explicitly firewall off all of
the unused addresses.
> but.. there would be a tradeoff between having a large arp table and
> lot's of firewall rules.
Somewhat, but less than you'd think. You need ARP entries for all of
the in-use addresses, anyway. What I do on my own network is to keep
the subnet as small as possible, to minimize the number of unused
addresses.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443cf7ifry.fsf>