Re: dhcpd MAC filter
Don't top-post, please. [http://catb.org/~esr/jargon/html/T/top-post.html] [format re-arranged] Wayne M Barnes [EMAIL PROTECTED] writes: On Fri, Aug 20, 2004 at 02:01:26PM -0400, Chuck Swiger wrote: Wayne M Barnes wrote: Is there a way to allow or disallow certain computers by their MAC number? ipfw 2 supports firewalling by MAC address, so yes. This ability comes with the software on my wireless access point, but I prefer that my FreeBSD system hand out the IP addresses, and I cannot find this MAC-filtering ability at man dhcpd. isc-dhcp3-server-3.0.1.r14_2 is my installed port. Is there another dhpcd to try? You can specify MAC addresses in your DHCP config to reserve specific IP addresses for specific machines. I'm not sure whether there is a way to tell DHCP not to grant a lease to MAC addresses which are not found, but then, without using a firewall, someone could manually configure a foreign host to use the connection, regardless of whether they can get a DHCP lease. -- -Chuck Dear Chuck, Thanks for the tip about ipfw, but I can't seem to write an acceptable line for rc.firewall, even after reading man ipfw, which does not show a full example. For instance, the following confuses ipfw when I put it into rc.firewall: #from man ipfw: MAC 10:20:30:40:50:60/33 any ipfw add drop all from MAC 00:02:2d:2e:04:28 to any It complains that MAC is an unknown machine. How should I spell a firewall rule invocation that will prevent a certain MAC serial number from getting through or to my FreeBSD machine? Thank you for any further advice. Sounds like you're running the original IPFW rather than IPFW2. As Chuck Swiger indicated, you need IPFW2 for the MAC keyword. IPFW2 is standard on FreeBSD 5.x, but not earlier. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dhcpd MAC filter
Lowell Gilbert wrote: [ ... ] Sounds like you're running the original IPFW rather than IPFW2. As Chuck Swiger indicated, you need IPFW2 for the MAC keyword. IPFW2 is standard on FreeBSD 5.x, but not earlier. Note the syntax Wayne was using-- the MAC stuff needs to be specified as an option, as in: ipfw add drop all from any to any mac any 00:02:2d:2e:04:28 ...rather than: #from man ipfw: MAC 10:20:30:40:50:60/33 any ipfw add drop all from MAC 00:02:2d:2e:04:28 to any [ This is not very intuitive or documented via an example in the ipfw manpage, but any particular MAC address may correspond with zero, one, or many IP addresses ] -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
dhcpd MAC filter
Dear FreeBSD, Is there a way to allow or disallow certain computers by their MAC number? This ability comes with the software on my wireless access point, but I prefer that my FreeBSD system hand out the IP addresses, and I cannot find this MAC-filtering ability at man dhcpd. isc-dhcp3-server-3.0.1.r14_2 is my installed port. Is there another dhpcd to try? I am running FreeBSD 5.1-RELEASE. -- Wayne M Barnes [EMAIL PROTECTED]fax: (314) 754-9556 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dhcpd MAC filter
Wayne M Barnes wrote: Is there a way to allow or disallow certain computers by their MAC number? ipfw 2 supports firewalling by MAC address, so yes. This ability comes with the software on my wireless access point, but I prefer that my FreeBSD system hand out the IP addresses, and I cannot find this MAC-filtering ability at man dhcpd. isc-dhcp3-server-3.0.1.r14_2 is my installed port. Is there another dhpcd to try? You can specify MAC addresses in your DHCP config to reserve specific IP addresses for specific machines. I'm not sure whether there is a way to tell DHCP not to grant a lease to MAC addresses which are not found, but then, without using a firewall, someone could manually configure a foreign host to use the connection, regardless of whether they can get a DHCP lease. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dhcpd MAC filter
I can't determine if you want to simply assign addresses by MAC address or set up a firewall to packet filter based upon MAC address. dhdpd can do the former and ipfw can do the latter. The man pages dhcpd and ipfw have examples on how to accomplish either or both. Is there a way to allow or disallow certain computers by their MAC number? I prefer that my FreeBSD system hand out the IP addresses, and I cannot find this MAC-filtering ability at man dhcpd. J ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dhcpd MAC filter
Dear Chuck, Thanks for the tip about ipfw, but I can't seem to write an acceptable line for rc.firewall, even after reading man ipfw, which does not show a full example. For instance, the following confuses ipfw when I put it into rc.firewall: #from man ipfw: MAC 10:20:30:40:50:60/33 any ipfw add drop all from MAC 00:02:2d:2e:04:28 to any It complains that MAC is an unknown machine. How should I spell a firewall rule invocation that will prevent a certain MAC serial number from getting through or to my FreeBSD machine? Thank you for any further advice. -- Wayne On Fri, Aug 20, 2004 at 02:01:26PM -0400, Chuck Swiger wrote: Wayne M Barnes wrote: Is there a way to allow or disallow certain computers by their MAC number? ipfw 2 supports firewalling by MAC address, so yes. This ability comes with the software on my wireless access point, but I prefer that my FreeBSD system hand out the IP addresses, and I cannot find this MAC-filtering ability at man dhcpd. isc-dhcp3-server-3.0.1.r14_2 is my installed port. Is there another dhpcd to try? You can specify MAC addresses in your DHCP config to reserve specific IP addresses for specific machines. I'm not sure whether there is a way to tell DHCP not to grant a lease to MAC addresses which are not found, but then, without using a firewall, someone could manually configure a foreign host to use the connection, regardless of whether they can get a DHCP lease. -- -Chuck -- Wayne M Barnes [EMAIL PROTECTED]fax: (314) 754-9556 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
