----- Original Message ----- From: "Gerald Timothy Quimpo" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 12, 2003 4:24 AM Subject: [plug] ip<==>mac mapping and duplicate ip DoS
> in the general case, is there some good solution to this? iptables' --mac-source is best solution for you > it doesn't discourage them > from causing a DoS for someone else. if they can sit at a public > client, they can actively DoS any other person they want just > by setting that client's IP to the IP of the other person's > personal PC. no it cant be done... for example: iptables -A INPUT -s <source ip address of workstation 1> -m mac --mac-source <mac adddress of workstation 1> -j ACCEPT iptables -A INPUT -s <source ip address of workstation 2> -m mac --mac-source <mac adddress of workstation 2> -j ACCEPT iptables -A INPUT -j DROP now a person sets the ip address of workstation 2 to workstation 1, his/her packets wont allow by the rules above... unless he is clever or expert enough that aside from changing the ip address, he or she spoof the mac address to circumvent the firewall rule... but of course... if he or she did that, you can outsmart him or her by having or buying a good switch that has a *port* security feature... a port security is a security feature of a switch that you can assign a mac address on that specific port.. which means for example, if port 1 is assign to mac address X, only mac address X is allowed to pass to port 1.. the rest is denied.. > what tool could he use to determine what the mac addresses are > of the two (or more) computers that have the same IP? arpwatch.. arpwatch maintains a database of ethernet/ip address pairings... > for some reason he's not ready to go with DHCP, although that > would solve much of the problem (clients can still be used to > DoS other clients, but it would be harder to target any particular > person's computer since the IP numbers would not stay the > same). go for dhcp for easy administration... not only dhcp assigns dynamic ip address but dhcp can also assigns static ip address based on the mac address of that nic... dhcp + iptables is your good solution as long as all the workstations' gateway is your linux box :-> fooler. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
