Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 22 May 2000 11:08:14 -0700
From:      Andre Gironda <andre@sun4c.net>
To:        Blake Matheny <matheny@bussert.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Firewall Rules
Message-ID:  <20000522110814.A5867@toaster.sun4c.net>
In-Reply-To: <Pine.BSF.4.10.10005221304510.8452-100000@arf.bussert.com>; from Blake Matheny on Mon, May 22, 2000 at 01:08:30PM -0500
References:  <Pine.BSF.4.10.10005221304510.8452-100000@arf.bussert.com>

next in thread | previous in thread | raw e-mail | index | archive | help

Blake,

If possible, you should try to segment off those users, because I don't
think there is a way with IPF or IPFW (or any firewall that I can think
of) to block MAC addresses specifically.

There is the VLAN management policy server from Cisco systems that is
available on their Catalyst series switches.  The idea behind it is
that you can put specific MAC addresses into particular VLANs.  I would
not trust it so well, but if you want further information look up VMPS.

Also, from LISA '99 there was a paper on doing MAC authentication
but it was with locked-down ports (but I assume this does not limit
DHCP depending on what you are doing):

Dealing with Public Ethernet Jacks - Switches, Gateways, and Authentication
http://www.ualberta.ca/~beck/authgw.html

There are actually a lot of ways to do this depending on what your
network looks like and what your requirements are.

dre

On Mon, May 22, 2000 at 01:08:30PM -0500, Blake Matheny wrote:
> Is there a way to deny by mac address rather than ip address? I need to
> deny a group of computers (with static ip's) access to the internet, but
> if someone changes their ip (with DHCP) it doesn't do any good. These are
> windows boxes with a freebsd firewall, no policies on the computers and if
> possible I would like to implement this only on the firewall level. Anyone
> got any advice? Thanks.
> -Blake
> 
> Blake Matheny
> Bussert Consulting
> Network Engineer
> (765)423-2100
> matheny@bussert.com
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
This program has been brought to you by the language C and the number F.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000522110814.A5867>