Date: Mon, 14 Feb 2005 16:18:47 -0600 (CST) From: Chris Dillon <cdillon@wolves.k12.mo.us> To: Artem Kuchin <matrix@itlegion.ru> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: How to make ipfw consider MAC-IP match? Message-ID: <20050214161017.G42760@duey.wolves.k12.mo.us> In-Reply-To: <024501c512e0$aa382e30$0c00a8c0@artem> References: <200502142022.j1EKMl5R092740@lurza.secnetix.de> <20050214145543.L42760@duey.wolves.k12.mo.us> <024501c512e0$aa382e30$0c00a8c0@artem>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 15 Feb 2005, Artem Kuchin wrote: > Chris Dillon <cdillon@wolves.k12.mo.us> wrote: >> On Mon, 14 Feb 2005, Artem Kuchin wrote: >> >>> I have a table with ethernet (MAC) addresses matching IPs. It is >>> used to build dhcp config file. But regardless of that any user can >>> assign his neighbour ips while that pc is turned off and use it to >>> access internet. The local ips are 192.168. and are behind natd. I >>> am running 5.3-STABLE and have heard that ipfw2 can in someway use >>> MAC addresses, but how do I setup ipfw in such a way that it allows >>> certain IP only from one and only one MAC address? I hope you are >>> getting my idea. >> >> What you probably want is static ARP entries. >> >> arp -s 192.168.1.1 00:11:22:33:44:55 >> >> But that still won't stop someone from changing their IP address and >> MAC address to match, it just makes it harder. To prevent that kind >> of thing you need to use 802.1x authentication or maybe even PPPoE. > > Um.. I just have read tutorial about PPPoE and did not find anything about > matching IP and MAC addresses. So, if i use PPPoE i still need to do > static ARP You wouldn't need or want Static ARP with PPPoE. You do authentication with PPPoE using usernames and encrypted passwords. Therefore no "stealing" unless someone figures out someone else's username and password. > (i did not undestrand, how i somebody can match mac and ip with > static arp except that he actually get the physical NIC from > somebody's computer). Because you can change the MAC address of your NIC to match someone else's very easily. Here's how in FreeBSD: ifconfig fxp0 link 00:11:22:33:44:55 It's that easy... > Also, as i see, users on PPPoE can login from any computer and get > their IP address.It will not work because of static arp, but still, > there are getting their address. And the last thing, if i am to > migrate to PPPoE this basically means i will need to give up DHCP, > because PPP will serve IPs, not DHCP. Right? Correct. Users don't even have to have static IPs. They can be assigned from a pool of IP addresses by the PPPoE server once they have authenticated. > And now the theory question. While i am running pppoe server on some > ethernet interface what disallows any user to use that interface as > a ip gateway without any pppoe? Just assigned themselves an ip, > ignoring pppoe and using the server as a gateway. I am probably > missing some point here. You can have the Ethernet interface you are doing PPPoE with also have an IP address and act as a standard gateway if you really want to, which would be good for transitioning purposes until everybody is using PPPoE, but once that is done you can remove the IP address from the interface and PPPoE will be the only choice. -- Chris Dillon - cdillon(at)wolves.k12.mo.us FreeBSD: The fastest, most open, and most stable OS on the planet - Available for IA32, IA64, AMD64, PC98, Alpha, and UltraSPARC architectures - PowerPC, ARM, MIPS, and S/390 under development - http://www.freebsd.org Q: Because it reverses the logical flow of conversation. A: Why is putting a reply at the top of the message frowned upon?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050214161017.G42760>