IPFW firewall rule in mpd pppoe server to single pc behind
router
Gloomy Group
gloomygroup at hotmail.com
Sat Dec 20 17:08:19 PST 2008
Is there anything like setting ttl value to 1 like linux iptables do have.
> Date: Fri, 19 Dec 2008 14:35:47 +1100
> From: smithi at nimnet.asn.au
> To: gloomygroup at hotmail.com
> CC: ipfw at freebsd.org
> Subject: RE: IPFW firewall rule in mpd pppoe server to single pc behind router
>
> On Fri, 19 Dec 2008, Gloomy Group wrote:
> > Hello Ian,
> >
> > I have implemented traffic shaping with dummy net pipe. But i want
> > to strictly control the internet sharing to single pc. Is there other
> > way of allowing like MAC address restricting to 2 pc coming from that
> > source ip.
> >
> > > Date: Thu, 18 Dec 2008 20:57:36 +1100
> > > From: smithi at nimnet.asn.au
> > > To: gloomygroup at hotmail.com
> > > CC: freebsd-ipfw at freebsd.org
> > > Subject: Re: IPFW firewall rule in mpd pppoe server to single pc behind router
> > >
> > > On Thu, 18 Dec 2008, Gloomy Group wrote:
> > > > I have freebsd mpd pppoe server. Users connect to internet by giving
> > > > username and password. My problem is some users put router and share
> > > > internet connection with other pc. Is it possbile to disable internet
> > > > sharing in server by rate limiting with ipfw firewall scripts. So
> > > > that if users keep router or does nat in their pc to share internet
> > > > then only single pc can access to internet. Is is possible?
> > >
> > > Detecting that a connection is shared using NAT? Not that I know of.
> > >
> > > Rate limiting per connection with dummynet pipes, easy enough. If you
> > > limit the bandwidth, why would you need to care how many pcs share it?
>
> Not that I know of.
>
> You're only going to see the MAC address of a directly connected system,
> not those of any other box connected to the first one's other interface,
> even if you are able to do ARP over PPPoE.
>
> This is more people-policy stuff I think, unlikely to have a technical
> solution. Some ISPs tell people they're not permitted to use NAT, but
> I've not heard of any way of actually and reliably detecting its use.
>
> One way to block use of the particular form of NAT implemented in M$ XP
> is to give users addresses in the 192.168.0.x range, with 192.168.0.1 as
> (your end's) gateway address .. since this latter address is forcibly
> assigned to the NAT box's inside interface by XP's 'internet connection
> sharing' .. but there are other NAT systems for windows users out there.
>
> Others may know more than I do about this, of course .. if you wish to
> pursue it further, net at freebsd.org would be the more appropriate list.
>
> cheers, Ian
_________________________________________________________________
It’s the same Hotmail®. If by “same” you mean up to 70% faster.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad1_122008
More information about the freebsd-ipfw
mailing list