MAC locking and filtering in FreeBSD

Stefan Lambrev stefan.lambrev at moneybookers.com
Wed May 13 19:14:56 UTC 2009 

Hi,

On May 13, 2009, at 10:03 PM, Brett Glass wrote:

> Stefan:
>
> You are correct: This is not real security. In fact, I would argue  
> that it's not security at all.
>
> But many businesses that have to maintain hotspots -- especially  
> some hotel chains -- are "allergic" to any sort of serious security.  
> This is because a small but vocal subset of their customers just  
> want to get on the Net and complain about any sort of security. Even  
> having to enter a password or a WEP key irks them. (I personally  
> think that these people are ignorant fools and are setting  
> themselves up for identity theft and worse, but that's just me. And  
> the businesses seem more willing to allow piracy of their Wi-Fi than  
> to irritate these boneheads.) Also, these systems have to be usable  
> by some fairly lame devices -- e.g. an XBox -- that aren't really  
> computers and don't have the capability to run secure protocols or  
> even a particularly good Web browser built in.
>
> So, painful as it is, I have to help these guys implement systems  
> which "bless" MAC addresses. The "arp -s" command can sort of lock  
> an IP to a MAC address, but awkwardly and only for outbound packets.  
> What I'd like is to get this into the firewall, so I can not only  
> block spoofing but trigger a log entry when it happens.

I think /usr/ports/net-mgmt/arpwatch will be helpful then, though I  
never used in on wireless.
Not that I understand how "knowing" mac address is easier for  
customers then wpa2 password ;)

>
> --Brett
>
> At 12:46 PM 5/13/2009, Stefan Lambrev wrote:
>
>> Hi,
>>
>> apr -S (or -s) is not helping?
>> Have in mind that this is not a real security as it's very easy to  
>> change your MAC.
>>
>> On May 13, 2009, at 7:48 PM, Brett Glass wrote:
>>
>>> I need to find a way to do "MAC address locking" in FreeBSD --  
>>> that is, to ensure that only a machine with a particular MAC  
>>> address can use a particular IP address. Unfortunately, it appears  
>>> that rules in FreeBSD's IPFW are "stuck" on one layer: rules that  
>>> look at Layer 2 information in a packet can't look at Layer 3, and  
>>> vice versa. Is there a way to work around this to do MAC address  
>>> locking and/or other functions that involve looking at Layer 2 and  
>>> Layer 3 simultaneously?
>>>
>>> --Brett Glass
>>>
>>> _______________________________________________
>>> freebsd-net at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org 
>>> "
>>
>> --
>> Best Wishes,
>> Stefan Lambrev
>> ICQ# 24134177
>>
>>
>>
>>

--
Best Wishes,
Stefan Lambrev
ICQ# 24134177

More information about the freebsd-net mailing list