From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 12:46:32 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BAE016A41F for ; Fri, 23 Sep 2005 12:46:32 +0000 (GMT) (envelope-from free.bsd@gmx.net) Received: from mail.gmx.net (imap.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id C113643D46 for ; Fri, 23 Sep 2005 12:46:31 +0000 (GMT) (envelope-from free.bsd@gmx.net) Received: (qmail 14107 invoked by uid 0); 23 Sep 2005 12:46:30 -0000 Received: from 141.20.195.87 by www80.gmx.net with HTTP; Fri, 23 Sep 2005 14:46:30 +0200 (MEST) Date: Fri, 23 Sep 2005 14:46:30 +0200 (MEST) From: "freebsd_daemon" To: ipfw@freebsd.org MIME-Version: 1.0 X-Priority: 3 (Normal) X-Authenticated: #20105305 Message-ID: <18703.1127479590@www80.gmx.net> X-Mailer: WWW-Mail 1.6 (Global Message Exchange) X-Flags: 0001 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Cc: lists@wm-access.no, vladone@spaingsm.com Subject: RE: blocking a host X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 12:46:32 -0000 // -----Original Message----- // From: Sten Daniel S鷨sdal [mailto:lists@wm-access.no] // Sent: Friday, September 23, 2005 6:32 PM // To: freebsd_daemon // Subject: Re: blocking a host // // freebsd_daemon wrote: // > is it possible to block a host with a known MAC address that is not using a // > specific IP address. Something like: // > // > deny all from host with MAC = {aa:bb:cc:dd:ee:ff} if src-ip is not // > ww:xx:yy:zz // > // > Or force a specific host to use a specific IP. // > // > The problem: I have some host on my network that does not allow DHCP service // > to configure its network settings. That host manually asigns some IP it // > likes to its interface causing collision. // // yes it is possible, but unless that host is connected directly to the // freebsd router and is all alone on the broadcast domain it wont help the // other hosts on that broadcast domain. // // why would you want such a host on your network? if you run a isp of some // sort and it's a customer who wants to steal static IP's. Why not give // him one and charge extra? Or design the network better? // // -- // Sten Daniel Sørsdal // -----Original Message----- // From: vladone [mailto:vladone@spaingsm.com] // Sent: Friday, September 23, 2005 8:08 PM // To: freebsd_daemon // Subject: Re: blocking a host // // This not prevent this guy to cause that problem. U can block access on // server but his still have network access. U have two choice: // 1. use cosh (not need to know freebsd operating system :) ) // 2. use some authentication method to acces network (i recommend u pppoe) well ... it is the new intern at the taipei/taiwan office he is assigning addresses of the 192.168.1.x to his NIC (wich is reserved for servers, vpn connections, ...). i told him to let DHCP configure his NIC (192.168.2.x are dynamic) but he just switches the 192.168,1,x addresses. i have been chasing him for a few days and want to bring it to an end. i CANNOT block the addresses he assigns to his nic as they belong to servers, vpn connections, ... which obviously are needed. i CANNOT kick him off the network totally (asked his boss in taipei/taiwan office) using MAC or so as he needs access to do his work therefore i want to secure the 192.168.1.x IPs by not leting him get traffic through by combining MAC with off-limit IPs such as: block traffic if src-MAC = {interns MAC} and src-MAC != {192.168.2.0/ff:ff:ff:00} or something like that ... zheyu P.S.: What is "cosh" -- 5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail +++ GMX - die erste Adresse für Mail, Message, More +++