From owner-freebsd-hackers Sat Jun 29 14:49:29 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EC3337B400 for ; Sat, 29 Jun 2002 14:49:25 -0700 (PDT) Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A67543E09 for ; Sat, 29 Jun 2002 14:49:25 -0700 (PDT) (envelope-from tlambert2@mindspring.com) Received: from pool0102.cvx22-bradley.dialup.earthlink.net ([209.179.198.102] helo=mindspring.com) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17OQ5o-0007Bp-00; Sat, 29 Jun 2002 14:49:21 -0700 Message-ID: <3D1E2B38.A70658EA@mindspring.com> Date: Sat, 29 Jun 2002 14:48:40 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Joao Carlos Cc: Luigi Rizzo , Nielsen , Ken Ebling , freebsd-hackers@freebsd.org Subject: Re: ipfw/dummynet suggestion References: <000801c21f1c$029cefe0$0201a8c0@Ken> <3D1D4EB3.9410011@mindspring.com> <20020629170251.65DDB43E13@mx1.FreeBSD.org> <20020629110237.A73787@iguana.icir.org> <001f01c21f99$3c363cc0$1e6eb0c8@pchome> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Joao Carlos wrote: > > several viruses do change the MAC address. The only real > > security is to have one user per port and filter the ports. > > Next step (but not as safe) is to wire down the arp table and only accept > > things that are in there (will be easy to implement in the > > new ipfw) > > I think it would be easier to deny all mac address in the ipfw rules except > by those that you know, right? Particularly, you should limit access to the antivirus server this way, so that if anyone does get a virus that does this, they are screwed for all time. NOT. Seriously, I'm wondering what "security restrictions" are so onerous that users are willing to change their IP addresses to get around them, and why they are there in the first place? I'm also wishing I had your posting in time to wave in the face of someone who once forced the implementation of a stupid access control model that required network identification of particular users, on the theory that users wouldn't do exactly what your users appear to be doing. Finally, I'll suggest that if you truly want to implement this thing, that the "correct" way to do it is probably to use the per machine NT Domain Controller information via hacking up the code from the SAMBA project, so that you can *ask* the NT domain controller for the credentials associated with an IP address, since this access control model is why NT Domaons were designed. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message