On Sun, Sep 07, 2003 at 06:24:52PM -0400, Lowell Gilbert wrote:
> Chuck Swiger <[EMAIL PROTECTED]> writes:
> > Colin Watson wrote:
> > [ ...rewrapped to 80-columns... ]
> > > Any way to bind a MAC address statically to an IP?. I wish to do this to
> > > prevent a user from changing his IP address on the subnet, so if he does he
> > > can't pass traffic. I have experimented with ipfw, but I can't quite see how
> > > I could accomplish the binding of a IP statically to a nic's MAC. Any ideas
> > > be appericated.
> > 
> > IPFW2 lets you perform firewall actions on a MAC address, rather than an IP.
> > 
> > You can configure a DHCP server to staticly allocate an IP address to
> > that machine via something like this in {/usr/local}/etc/dhcpd.conf:
> > 
> > host pi.codefab.com {
> >          hardware ethernet 00:00:00:00:00:00;
> >          fixed-address;
> > }
> To be complete:
> The arp(8) command does literally what was asked for.

no, it doesn't..  what it does - establishing static mapping from IP to
MAC address..  Now I'm facing the same problem as original poster - how
can I prevent users from changing their IP address to some other (from
the same subnet)?..  Let's say I have a network I have
few users - 192.168.1.{3,4,5}..  How can I prevent one user from
changing his ip from to  Now I see only one
solution - use 'arp' command to statically assign MACs to used IP
addresses and block traffic to unused IP addresses, but this looks a
little ugly :)  What I'd like to is to be able to assign unused IP
addresses to some 'invalid' MAC address, so that my router responds with
'host unreachable' to incoming packets destined to these addresses..

but.. there would be a tradeoff between having a large arp table and
lot's of firewall rules.

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to