IPFW firewall rule in mpd pppoe server to single pc behind router

Gloomy Group gloomygroup at hotmail.com
Sat Dec 20 17:08:19 PST 2008 

Is there anything like setting ttl value to 1 like linux iptables do have.

> Date: Fri, 19 Dec 2008 14:35:47 +1100
> From: smithi at nimnet.asn.au
> To: gloomygroup at hotmail.com
> CC: ipfw at freebsd.org
> Subject: RE: IPFW firewall rule in mpd pppoe server to single pc behind router
> 
> On Fri, 19 Dec 2008, Gloomy Group wrote:
>  > Hello Ian,
>  >   
>  >  I have implemented traffic shaping with dummy net pipe. But i want 
>  > to strictly control the internet sharing to single pc. Is there other 
>  > way of allowing like MAC address restricting to 2 pc coming from that 
>  > source ip.
>  > 
>  > > Date: Thu, 18 Dec 2008 20:57:36 +1100
>  > > From: smithi at nimnet.asn.au
>  > > To: gloomygroup at hotmail.com
>  > > CC: freebsd-ipfw at freebsd.org
>  > > Subject: Re: IPFW firewall rule in mpd pppoe server to single pc behind router
>  > > 
>  > > On Thu, 18 Dec 2008, Gloomy Group wrote:
>  > >  >  I have freebsd mpd pppoe server. Users connect to internet by giving 
>  > >  > username and password. My problem is some users put router and share 
>  > >  > internet connection with other pc. Is it possbile to disable internet 
>  > >  > sharing in server by rate limiting with ipfw firewall scripts. So 
>  > >  > that if users keep router or does nat in their pc to share internet 
>  > >  > then only single pc can access to internet. Is is possible?
>  > > 
>  > > Detecting that a connection is shared using NAT?  Not that I know of.
>  > > 
>  > > Rate limiting per connection with dummynet pipes, easy enough.  If you 
>  > > limit the bandwidth, why would you need to care how many pcs share it?
> 
> Not that I know of.
> 
> You're only going to see the MAC address of a directly connected system, 
> not those of any other box connected to the first one's other interface, 
> even if you are able to do ARP over PPPoE.
> 
> This is more people-policy stuff I think, unlikely to have a technical 
> solution.  Some ISPs tell people they're not permitted to use NAT, but 
> I've not heard of any way of actually and reliably detecting its use.
> 
> One way to block use of the particular form of NAT implemented in M$ XP 
> is to give users addresses in the 192.168.0.x range, with 192.168.0.1 as 
> (your end's) gateway address .. since this latter address is forcibly 
> assigned to the NAT box's inside interface by XP's 'internet connection 
> sharing' .. but there are other NAT systems for windows users out there.
> 
> Others may know more than I do about this, of course .. if you wish to 
> pursue it further, net at freebsd.org would be the more appropriate list.
> 
> cheers, Ian

_________________________________________________________________
It’s the same Hotmail®. If by “same” you mean up to 70% faster.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad1_122008

More information about the freebsd-ipfw mailing list