blocking a host
freebsd_daemon
free.bsd at gmx.net
Fri Sep 23 05:46:32 PDT 2005
// -----Original Message-----
// From: Sten Daniel S鷨sdal [mailto:lists at wm-access.no]
// Sent: Friday, September 23, 2005 6:32 PM
// To: freebsd_daemon
// Subject: Re: blocking a host
//
// freebsd_daemon wrote:
// > is it possible to block a host with a known MAC address that is not
using a
// > specific IP address. Something like:
// >
// > deny all from host with MAC = {aa:bb:cc:dd:ee:ff} if src-ip is not
// > ww:xx:yy:zz
// >
// > Or force a specific host to use a specific IP.
// >
// > The problem: I have some host on my network that does not allow DHCP
service
// > to configure its network settings. That host manually asigns some IP it
// > likes to its interface causing collision.
//
// yes it is possible, but unless that host is connected directly to the
// freebsd router and is all alone on the broadcast domain it wont help the
// other hosts on that broadcast domain.
//
// why would you want such a host on your network? if you run a isp of some
// sort and it's a customer who wants to steal static IP's. Why not give
// him one and charge extra? Or design the network better?
//
// --
// Sten Daniel Sørsdal
// -----Original Message-----
// From: vladone [mailto:vladone at spaingsm.com]
// Sent: Friday, September 23, 2005 8:08 PM
// To: freebsd_daemon
// Subject: Re: blocking a host
//
// This not prevent this guy to cause that problem. U can block access on
// server but his still have network access. U have two choice:
// 1. use cosh (not need to know freebsd operating system :) )
// 2. use some authentication method to acces network (i recommend u pppoe)
well ... it is the new intern at the taipei/taiwan office
he is assigning addresses of the 192.168.1.x to his NIC (wich is reserved
for servers, vpn connections, ...). i told him to let DHCP configure his NIC
(192.168.2.x are dynamic) but he just switches the 192.168,1,x addresses. i
have been chasing him for a few days and want to bring it to an end.
i CANNOT block the addresses he assigns to his nic as they belong to
servers, vpn connections, ... which obviously are needed.
i CANNOT kick him off the network totally (asked his boss in taipei/taiwan
office) using MAC or so as he needs access to do his work
therefore i want to secure the 192.168.1.x IPs by not leting him get traffic
through by combining MAC with off-limit IPs such as:
block traffic if src-MAC = {interns MAC} and src-MAC !=
{192.168.2.0/ff:ff:ff:00}
or something like that ...
zheyu
P.S.: What is "cosh"
--
5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail
+++ GMX - die erste Adresse für Mail, Message, More +++
More information about the freebsd-ipfw
mailing list