On 28 Mar 2003 00:32:20 -0800, [EMAIL PROTECTED] (Doros Eracledes) wrote: >Is there a way to make sure that only requests >from specific mac address can access my >pf protected database server? >May be if it's not possible using pf, i could use a level 1 switch? > >
Some Cisco switches and software revision levels support a concept called "Private VLAN" that allows you to define @ L2 which ports get to communicate to which ports in a VLAN structure. Another potential way might be to prevent your database server from ARP'ing for IP addresses (I'm assuming your database communication is L3/IP, not L2 DLC frames, etc., etc.) and manually setting the ARP resolution entries you're interested in with "arp -s <ip> <mac>" as a ! entry in the /etc/hostname.if files. ARP-requests go out as DLC broadcasts to all stations @ MAC address (FF:FF:FF:FF:FF:FF), but the return response is a unicast L2 frame back to the sending NIC/host. I don't know if you can "stop" ARP broadcasts without some kernel hacking involved since ARP is such a fundamental function of IP functionality, but you may be able to configure some network switch to filter broadcasts out. If your server's part of an HA cluster, this could be a no-no as it may interfere with heartbeating <although most I've seen use a multicast broadcast MAC>. Turning ARP off can also be bad in many other ways <besides the fact you'll never speak IP without manual entries>, last one I'll mention here is where servers will proxy-ARP for non-local IP addresses, and, by RFC convention, the router will return an ARP-Reply with it's IP address to assist in forwarding traffic. This is old and generally not used anymore, appearing as a "turn-this-off" item in lots of security documentation, for good reason, but bad infrastructure I've tuned up I still see this at. I blabbed on about this because I find your problem quite compelling and interesting. :) Perhaps we should ask for a: #define ULTRAPARANOID_TURN_ARP_OFF Somewhere in the kernel configs from the awesome OBSD dev team? I think I'll go through the V3.2 tree and see if I can roll a kernel with this in the test lab. -T
