From owner-freebsd-security Mon May 22 11: 6:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id 2031F37BBC9 for ; Mon, 22 May 2000 11:06:17 -0700 (PDT) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3+openldap/8.9.3) id LAA05887; Mon, 22 May 2000 11:08:14 -0700 (PDT) Date: Mon, 22 May 2000 11:08:14 -0700 From: Andre Gironda To: Blake Matheny Cc: freebsd-security@freebsd.org Subject: Re: Firewall Rules Message-ID: <20000522110814.A5867@toaster.sun4c.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Blake Matheny on Mon, May 22, 2000 at 01:08:30PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Blake, If possible, you should try to segment off those users, because I don't think there is a way with IPF or IPFW (or any firewall that I can think of) to block MAC addresses specifically. There is the VLAN management policy server from Cisco systems that is available on their Catalyst series switches. The idea behind it is that you can put specific MAC addresses into particular VLANs. I would not trust it so well, but if you want further information look up VMPS. Also, from LISA '99 there was a paper on doing MAC authentication but it was with locked-down ports (but I assume this does not limit DHCP depending on what you are doing): Dealing with Public Ethernet Jacks - Switches, Gateways, and Authentication http://www.ualberta.ca/~beck/authgw.html There are actually a lot of ways to do this depending on what your network looks like and what your requirements are. dre On Mon, May 22, 2000 at 01:08:30PM -0500, Blake Matheny wrote: > Is there a way to deny by mac address rather than ip address? I need to > deny a group of computers (with static ip's) access to the internet, but > if someone changes their ip (with DHCP) it doesn't do any good. These are > windows boxes with a freebsd firewall, no policies on the computers and if > possible I would like to implement this only on the firewall level. Anyone > got any advice? Thanks. > -Blake > > Blake Matheny > Bussert Consulting > Network Engineer > (765)423-2100 > matheny@bussert.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- This program has been brought to you by the language C and the number F. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message