From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 8 04:40:31 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 143CB16A418 for ; Sat, 8 Sep 2007 04:40:31 +0000 (UTC) (envelope-from kansas_le@yahoo.com) Received: from web56809.mail.re3.yahoo.com (web56809.mail.re3.yahoo.com [66.196.97.83]) by mx1.freebsd.org (Postfix) with SMTP id C856213C461 for ; Sat, 8 Sep 2007 04:40:30 +0000 (UTC) (envelope-from kansas_le@yahoo.com) Received: (qmail 90619 invoked by uid 60001); 8 Sep 2007 04:40:30 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=A7abjl5mPbLBek8DoF5e+SHpP8ej9jtGeZZpcGea8ERv5BINUeewzs/iO14r39k2I6PP5OX4MJ0RWQg1POnrFnjzGUqQTYwv/bRRWtETaZAcrCRASHv6tptWUgGBp7zvH6NvbddmlZ3ByyyApfDx67QT3X5UhrPD3k1WUwchM6M=; X-YMail-OSG: lvniV9IVM1mVNZT3ylKuGvfVKcegfZJGW6pwwGjMrvRiDXzhPiWnXsOHnDdNShgHRN8.grY1pZt2pGFOul1cBucUACcbrJuUAUCG6spRHghgdQs4_5jNyfhE3x9C7A-- Received: from [125.160.216.194] by web56809.mail.re3.yahoo.com via HTTP; Fri, 07 Sep 2007 21:40:29 PDT Date: Fri, 7 Sep 2007 21:40:29 -0700 (PDT) From: Stephen GL To: AT Matik , freebsd-ipfw@freebsd.org In-Reply-To: <200709071454.07445.asstec@matik.com.br> MIME-Version: 1.0 Message-ID: <984691.90507.qm@web56809.mail.re3.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Stephen GL Subject: Re: Allow only match both mac address and IP address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Sep 2007 04:40:31 -0000 Thanks to Chris and JM, I did check the pair of IP and MAC right now. My office has a small group of spoofer, so far they are IP address spoofer, which is already blocked as they has invalid MAC Address. It's funny if you see them right now, keep thinking why I can't get through. I realize that one day, soon they will become an expert of IP and MAC Address spoofer. For Windows users, SMAC is too easy to find. I don't want they laugh at me, as they laughed at me when I only block the IP address alone. Is there another (additional) way that IPFW can check against fake interface? Don't tell me about OS fingerprint, I know that it's in fact changeable by known valid user. And also the CGI login, some valid user I know in fact is friend of spoofer. Stephen AT Matik wrote: On Friday 07 September 2007 13:53:05 Chuck Swiger wrote: > Stephen GL wrote: > [ ... ] > > > I am very new about IPFW. I'm in FreeBSD 6.0. > > My job is pass anyone that has a valid both MAC and IP address. > > Beginning of my rule I check the valid MAC address that can get through. > > If pass, the next rule is check the IP address. > > If pass, he/she can get through. > > > > Everything is work as expected. My problem is the above rules doesn't > > check both MAC and IP address pairing. Assume someone spoof other MAC > > address, they can pass by changing the IP address of another. > > The way to deal with people who screw up your network by spoofing the MAC > and IP address of another machine is to fire them or drop them as a > customer, depending on the relationship. > a completely brilliant solution, technically brilliant, administrationally brilliant, please accept my admiration ... but we want the customer's money and not drop them man ... > However, if you really need to provide IP access to people whom you can't > trust not to play such games, consider switching to something which > requires authentication, such as PPPoE. that then cost money for password capslock/lost/forgot/change support ... and cost bandwidth overhead or the costumer get less bandwidth as supposed to back to the point, you need to run your server as bridge then you can drop traffic which is not an authorized mac/ip pair as in deny ip from any to any src-ip ${ip} layer2 not MAC any ${mac} recv ${nic} JM A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" --------------------------------- Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out.