Re: pf by mac address?
Hi, If you don't want the hostile users know that you are shaping their packets in the way to Internet, you might want to make use of the Bridge facilities in OpenBSD. There you can tag the packets merely based on their MAC, and then in higher layers have pf deal with those packets as you wish! Regards, Amir -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Benfell Sent: Monday, January 23, 2006 06:09 To: misc@openbsd.org Subject: pf by mac address? Hello all, Perhaps I'm looking for this the wrong way. My local network now (and hopefully temporarily) includes hostile users. I may need to exercise controls on their Internet usage by machine. Now, I can certainly tell dhcpd to give certain machines certain IP addresses by reference to their MAC address. But that won't stop these users from allocating their own IP address and essentially bypassing dhcpd. The environment includes a lot of wireless -- most users connect this way. So I'm thinking I'd like to be able to write packet filter rules based on MAC address. I'm not necessarily going to want to simply cut off all their Internet access, but pf offers a lot of options to do what I think I might want to do, if I can make rules by MAC address. Traffic shaping and additional rules about what ports they can access come to mind. Possibly other possibilities will come to your mind -- hopefully you see what I'm thinking. Is it possible? -- David Benfell, LCP [EMAIL PROTECTED] --- Resume available at http://www.parts-unknown.org/
Re: pf by mac address?
On Monday 23 January 2006 06:08, David Benfell wrote: So I'm thinking I'd like to be able to write packet filter rules based on MAC address. I'm not necessarily going to want to simply cut off all their Internet access, but pf offers a lot of options to do what I think I might want to do, if I can make rules by MAC address. Traffic shaping and additional rules about what ports they can access come to mind. Possibly other possibilities will come to your mind -- hopefully you see what I'm thinking. Is it possible? How about a different approach? Limit everyone by default, and then remove limits via authpf. As someone somewhere said, ssh can be made into double-click here to be able to surf ;) -- viq --- Cala prawda o mezczyznach http://link.interia.pl/f18f1
Re: pf by mac address?
On Mon, 23 Jan 2006 10:49:32 +0100, viq wrote: How about a different approach? Limit everyone by default, and then remove limits via authpf. As someone somewhere said, ssh can be made into double-click here to be able to surf ;) *This* seems like it could work. I will look into it further. Thanks! -- David Benfell, LCP [EMAIL PROTECTED] --- Resume available at http://www.parts-unknown.org/
Re: pf by mac address?
On Sunday, January 22, David Benfell wrote: Is it possible? You have hostile users. They know how to change IP addresses. You want to block by another means they are able to change. Instead have a look at authpf. --Toby.
Never mind... Re: pf by mac address?
On Sun, 22 Jan 2006 21:08:34 -0800, David Benfell wrote: Perhaps I'm looking for this the wrong way. My local network now (and hopefully temporarily) includes hostile users. I may need to exercise controls on their Internet usage by machine. Still what I think I'd like to do -- because MAC address spoofing is a level beyond the capability of the users I'm worried about, but I see this has come up before... http://archives.neohapsis.com/archives/openbsd/2002-06/0513.html -- David Benfell, LCP [EMAIL PROTECTED] --- Resume available at http://www.parts-unknown.org/
pf by mac address?
Hello all, Perhaps I'm looking for this the wrong way. My local network now (and hopefully temporarily) includes hostile users. I may need to exercise controls on their Internet usage by machine. Now, I can certainly tell dhcpd to give certain machines certain IP addresses by reference to their MAC address. But that won't stop these users from allocating their own IP address and essentially bypassing dhcpd. The environment includes a lot of wireless -- most users connect this way. So I'm thinking I'd like to be able to write packet filter rules based on MAC address. I'm not necessarily going to want to simply cut off all their Internet access, but pf offers a lot of options to do what I think I might want to do, if I can make rules by MAC address. Traffic shaping and additional rules about what ports they can access come to mind. Possibly other possibilities will come to your mind -- hopefully you see what I'm thinking. Is it possible? -- David Benfell, LCP [EMAIL PROTECTED] --- Resume available at http://www.parts-unknown.org/