From owner-freebsd-security  Mon May 22 19:24:45 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id 8E9B537B64D
	for <freebsd-security@FreeBSD.ORG>; Mon, 22 May 2000 19:24:42 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id WAA37181;
	Mon, 22 May 2000 22:23:30 -0400 (EDT)
	(envelope-from cjc)
Date: Mon, 22 May 2000 22:23:29 -0400
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To: Andre Gironda <andre@sun4c.net>
Cc: Blake Matheny <matheny@bussert.com>, freebsd-security@FreeBSD.ORG
Subject: Re: Firewall Rules
Message-ID: <20000522222329.C36986@cc942873-a.ewndsr1.nj.home.com>
Reply-To: cjclark@home.com
References: <Pine.BSF.4.10.10005221304510.8452-100000@arf.bussert.com> <20000522110814.A5867@toaster.sun4c.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <20000522110814.A5867@toaster.sun4c.net>; from andre@sun4c.net on Mon, May 22, 2000 at 11:08:14AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, May 22, 2000 at 11:08:14AM -0700, Andre Gironda wrote:
> 
> Blake,
> 
> If possible, you should try to segment off those users, because I don't
> think there is a way with IPF or IPFW (or any firewall that I can think
> of) to block MAC addresses specifically.

Wouldn't it be possible to essentially dev-null all but a fixed list
of IP-MAC pairs? This would not be a deny list, but rather an accept
list and then a default deny. That may or may not be acceptable.

I believe this can be done by turning off ARP on the interface and
using arp(8) to build a static MAC-IP mapping of your own.

Just a pretty easy to do idea.

> On Mon, May 22, 2000 at 01:08:30PM -0500, Blake Matheny wrote:
> > Is there a way to deny by mac address rather than ip address? I need to
> > deny a group of computers (with static ip's) access to the internet, but
> > if someone changes their ip (with DHCP) it doesn't do any good. These are
> > windows boxes with a freebsd firewall, no policies on the computers and if
> > possible I would like to implement this only on the firewall level. Anyone
> > got any advice? Thanks.
> > -Blake
> > 
> > Blake Matheny
> > Bussert Consulting
> > Network Engineer
> > (765)423-2100
> > matheny@bussert.com
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message