MAC locking and filtering in FreeBSD

[Ian Smith]

On Thu, 14 May 2009, Brett Glass wrote:
 > At 12:17 AM 5/14/2009, Ian Smith wrote:
 >  
 > >You can use fixed leases with MAC specified in dhcp for that, 
 > 
 > This lets you assign specific addresses to machines with specific MAC 
 > addresses. But it doesn't inhibit MAC address "cloning," and the DHCP 
 > server cannot force a machine to use a specific IP or stop it from 
 > using one that was not assigned to it.

You can have it only issue a lease for a given IP to a machine with the 
correct MAC, and issue no leases to any other machines; at least, that 
works for us.  Of course that can't prevent someone who a) knows the IP 
address to MAC mapping, and b) can spoof the MAC address.  I don't know 
what could prevent that, but it's hardly the common scenario.

Then have ipfw refuse traffic from addresses other than those allowed.

 > >Re ipfw(8), I'm not clear on what your problem is: the section PACKET 
 > >FLOW shows clearly how to distinguish layer 2 from layer 3 traffic.
 > 
 > The problem is that you cannot test both the MAC address and the IP 
 > address in the same rule -- at least in the current implementation.

Assuming you have net.link.ether.ipfw=1 to get layer 2 packets, and are 
separating your layer 2 packets for testing as shown under PACKET FLOW, 
can you show us the rule to do just that, that isn't working right?

 > >Your 'vice versa' here isn't correct; you can select by layer 3 criteria 
 > >on packets from ether_demux, 
 > 
 > The docs say that you can't.

Please point out where ipfw(8) says that?

cheers, Ian