From owner-freebsd-isp Mon Sep 6 21:32:36 1999 Delivered-To: freebsd-isp@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id A3FE915517 for ; Mon, 6 Sep 1999 21:32:30 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 215 invoked by uid 1000); 7 Sep 1999 04:22:03 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Sep 1999 04:22:03 -0000 Date: Tue, 7 Sep 1999 00:22:03 -0400 (EDT) From: Barrett Richardson To: Bartek Siebab Cc: FreeBSD ISP Subject: Re: Really static arp? In-Reply-To: <001201bef890$f98e8a80$c805a0d4@stonehenge> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 6 Sep 1999, Bartek Siebab wrote: > Hi! > > I have many malicious users in my LAN. Many of them has > access disabled to our certain services, but if they change > their ip adress we can't filter them by ip. > > User can change ip but his MAC adress is static, but > arp -S isn't solution, because when user has new ip > arp add it to cache and after arp -a we have a few entry > for ip with a few MAC adresses, so trafic is passed from > this ip (currently and temporary not used by other user)! > > How to disable arp from do this? > How to set up arp table really static? > Maybe is there any solutions for ipfw based on MAC? You could use 'arp -S' to publish arp entries for the whole block of addresses that the lan could use. Associate the arp entry for an assigned ip to a particular MAC address only, and associate all unassigned ip addresses to the MAC address of the FreeBSD box -- or could assign unused ip addresses as aliases to FreeBSD box. That should hamper their network capabilities if they change addresses. - Barrett > > -- > Bartek Siebab bs@vt.pl > bsiebab@rubikon.net.pl > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message