blocking a host

[freebsd_daemon]

// -----Original Message-----
// From: Sten Daniel S鷨sdal [mailto:lists at wm-access.no]
// Sent: Friday, September 23, 2005 6:32 PM
// To: freebsd_daemon
// Subject: Re: blocking a host
// 
// freebsd_daemon wrote:
// > is it possible to block a host with a known MAC address that is not
using a
// > specific IP address. Something like:
// >
// > deny all from host with MAC = {aa:bb:cc:dd:ee:ff} if src-ip is not
// > ww:xx:yy:zz
// >
// > Or force a specific host to use a specific IP.
// >
// > The problem: I have some host on my network that does not allow DHCP
service
// > to configure its network settings. That host manually asigns some IP it
// > likes to its interface causing collision.
// 
// yes it is possible, but unless that host is connected directly to the
// freebsd router and is all alone on the broadcast domain it wont help the
// other hosts on that broadcast domain.
// 
// why would you want such a host on your network? if you run a isp of some
// sort and it's a customer who wants to steal static IP's. Why not give
// him one and charge extra? Or design the network better?
// 
// --
// Sten Daniel Sørsdal


// -----Original Message-----
// From: vladone [mailto:vladone at spaingsm.com]
// Sent: Friday, September 23, 2005 8:08 PM
// To: freebsd_daemon
// Subject: Re: blocking a host
// 
// This not prevent this guy to cause that problem. U can block access on
// server but his still have network access. U have two choice:
// 1. use cosh (not need to know freebsd operating system :) )
// 2. use some authentication method to acces network (i recommend u pppoe)

well ... it is the new intern at the taipei/taiwan office

he is assigning addresses of the 192.168.1.x to his NIC (wich is reserved
for servers, vpn connections, ...). i told him to let DHCP configure his NIC
(192.168.2.x are dynamic) but he just switches the 192.168,1,x addresses. i
have been chasing him for a few days and want to bring it to an end.

i CANNOT block the addresses he assigns to his nic as they belong to
servers, vpn connections, ... which obviously are needed.

i CANNOT kick him off the network totally (asked his boss in taipei/taiwan
office) using MAC or so as he needs access to do his work

therefore i want to secure the 192.168.1.x IPs by not leting him get traffic
through by combining MAC with off-limit IPs such as:

block traffic if src-MAC = {interns MAC} and src-MAC !=
{192.168.2.0/ff:ff:ff:00}

or something like that ...

zheyu

P.S.: What is "cosh"

-- 
5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail
+++ GMX - die erste Adresse für Mail, Message, More +++