From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 7 17:25:11 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F32F016A419 for ; Fri, 7 Sep 2007 17:25:10 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id CCBCE13C46A for ; Fri, 7 Sep 2007 17:25:10 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id EE4A85C78; Fri, 7 Sep 2007 12:53:12 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26pgT6tIWmQR; Fri, 7 Sep 2007 12:53:10 -0400 (EDT) Received: from [192.168.1.3] (pool-71-190-65-187.nycmny.east.verizon.net [71.190.65.187]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 1F3D15C19; Fri, 7 Sep 2007 12:53:10 -0400 (EDT) Message-ID: <46E181F1.2030404@mac.com> Date: Fri, 07 Sep 2007 12:53:05 -0400 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.13 (Windows/20070809) MIME-Version: 1.0 To: Stephen GL References: <456319.24028.qm@web56801.mail.re3.yahoo.com> In-Reply-To: <456319.24028.qm@web56801.mail.re3.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Allow only match both mac address and IP address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2007 17:25:11 -0000 Stephen GL wrote: [ ... ] > I am very new about IPFW. I'm in FreeBSD 6.0. > My job is pass anyone that has a valid both MAC and IP address. > Beginning of my rule I check the valid MAC address that can get through. > If pass, the next rule is check the IP address. > If pass, he/she can get through. > > Everything is work as expected. My problem is the above rules doesn't check > both MAC and IP address pairing. Assume someone spoof other MAC address, they > can pass by changing the IP address of another. The way to deal with people who screw up your network by spoofing the MAC and IP address of another machine is to fire them or drop them as a customer, depending on the relationship. However, if you really need to provide IP access to people whom you can't trust not to play such games, consider switching to something which requires authentication, such as PPPoE. -- -Chuck