Pieter Donche wrote: > > Depends on how you set it up. If you set MACLIST_DISPOSITION=ACCEPT then >> you might only add entries in /etc/shorewall/maclist for those that are >> manually set -- specify both MAC and IP ADDRESS. > >But if I would use MACLIST_DISPOSITION=ACCEPT and only record entries for >those that are manually set (2.), wouldn't this leave the possibility open >that a user manually sets in his PC an IPaddress which is already >reserved in our DHCP server (case 1.) for someone elses PC, causing the >trouble that the DHCP server will not hand out that IP to the rightfull >'owner' when that IP is in use ... (as I mentionned in my initial mail)
Personally I would suggest that rather than trying to do this in the firewall, you set up some form of monitoring to compare ARP tables against a predefined list. This can be done (in some cases) by querying switches, or by checking the ARP table on some host in the network (which can be your firewall - or any other host that the device would need to communicate with before getting internet access). I think it might be easier doing it that way - so you can write your own scripts to work as you want, rather than trying to force a general purpose tool to do what you want. It shouldn't be hard to query the ARP table, compare each entry to a predefined list (generated from the same source data that you generate your DHCP config from), and flag up any bad entries. Once you've flagged up a rogue entry, then you still have to do something - you could block it by blacklisting the MAC address in Shorewall, or send an email to an administrator, or both, or something else. Whatever you do, human intervention is going to be required to track down and "fix" the problem - typically by "educating" the user on the error of his ways. Until you have fixed the problem, then the other user who's IP address has been hijacked will still not be able to work on the network - unless you run a fully managed network and are able to isolate the rogue device at it's local network switch (again something you won't achieve from a Shorewall config). >But I want to avoid that a visitor for only a few days, would need to ask >me to record his Mac address. Have a separate pool for visitors, and exclude those addresses from your checking scripts. At work we had a related issue. Someone setup a new device for the outside network (we offer hosting services amongst other things) and chose an address that was already in use*. It took some time before I was able to work out what had happened and correct the situation, and meanwhile a customer was "a tad upset" that his IP phone system was down. I've since added monitoring in our Nagios system to check the ARP of every IP address (including all the empty addresses) on our outside network and raise alerts whenever a MAC address changes/appears/disappears. It takes a little effort to keep everything up to date, but a lot less than trying to track down problems after they've happened ! It also means that we now have a complete inventory of devices on the network which we didn't have before. * He pinged it first, but of course, many devices these days don't respond to pings in some futile attempt to avoid being "seen" and attacked. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
