From owner-freebsd-security Fri Dec 28 11:49:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from ke7hc.net (12-225-238-179.client.attbi.com [12.225.238.179]) by hub.freebsd.org (Postfix) with ESMTP id 17C7737B41A for ; Fri, 28 Dec 2001 11:49:31 -0800 (PST) Received: (from phils@localhost) by ke7hc.net (8.11.6/8.11.6) id fBSJnSh43803 for security@FreeBSD.ORG; Fri, 28 Dec 2001 11:49:28 -0800 (PST) (envelope-from phils) Date: Fri, 28 Dec 2001 11:49:28 -0800 From: Phil Staub To: security@FreeBSD.ORG Subject: Re: ipfw by MAC Message-ID: <20011228114927.A43549@ke7hc.net> Reply-To: phils@ke7hc.net References: <20011227231154.M2090@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011227231154.M2090@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Thu, Dec 27, 2001 at 11:11:54PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 27, 2001 at 11:11:54PM -0800, Crist J . Clark wrote: > On Thu, Dec 27, 2001 at 07:02:02PM -0800, John F Cuzzola wrote: > > > > Hi there, > > > > Does the latest version of FreeBSD allow you to create ipfw rules based > > on MAC address instead of IP? > > No. This sort of prompts a question I've been wondering about since the @Home->attbi.com transition: Has anyone addressed the issue of configuring a firewall with a DHCP-assigned outside IP address? I had been using hard-coded IP addresses in my firewall, because even though @Home was theoretically using DHCP for IP address assignment, it never changed, and the lease timeout was set really long, (I think it was a month or more) so "pretending" to have a static IP worked ok. When I was switched to attbi.com, the DHCP lease period has been reduced to 2 days, increasing the probability that someday my link will be down when it comes time for a lease renewal, and I'm assuming that I very likely would get a different IP address when the link returns. If that happens, it means reworking the firewall rules with the new IP address. Not an incredible burden, given the generally good uptime I've experienced with the cable modem, but if it could be eliminiated or automated, I'd like to do so. I suppose that tying the firewall rules to the MAC address would be one way of doing that, but since that isn't supported, I'm curious if anyone has come up with a different way of doing it. Thanks, Phil -- Phil Staub, KE7HC phils@ke7hc.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message