Security Basics mailing list archives
Re: IP to MAC mapping
From: Devdas Bhagat <dvb () users sourceforge net>
Date: Wed, 27 Nov 2002 00:46:45 +0530
On 26/11/02 12:38 -0500, Ben Corman wrote:
How would you built that ruleset automatically from a database? We are running a PIX here, and there has been some discussion about doing this exact thing, but no one can figure out you would go about doing that.
I think this might be useful to other posters too, so here goes. I assume a flat network here, so that client MAC addresses are available to the firewall. Any router will hide MAC addresses. Part 1: Get the MAC addresses into the database. CREATE TABLE arp ( ethernet_addr char(17), ip_addr varchar(15) ); If you can do this manually, pretty nice. If not (like an ISP assigning IP addresses via DHCP and not tying them to the MAC address), you need to parse the DHCP server logs. Use a Perl script to move the ip address/mac address pairs to the database. Part 2: Get the ruleset to the firewall Again, Perl to your rescue. Use Perl to ssh to the firewall, and send over rules generated from the database. In a specific case, I was required to provide billing based on usage time and data transferred. For this, the solution used was a Linux box running Apache, iptables, Perl and Postgresql. On connecting, the user would automatically be redirected to a login page, when (s)he would have to authenticate. On authentication, the client IP would be added to the database of logged in users and a signal would be sent to a script which would insert the rule into the iptables ruleset. this would log a timestamp into the database. When the user logged out, or the box would not respond to a ping, the session would be terminated. Terminating the session involved grabbing the data transfer for that particular ip from the iptables rule, and logging the removal timestamp followed by actual deletion of the rule. The default rule in this case was a redirect, but could easily become a DROP. I hope this helps. Devdas Bhagat
Current thread:
- RE: IP to MAC mapping, (continued)
- RE: IP to MAC mapping Ian Lyte (Nov 25)
- RE: IP to MAC mapping Vytautas Kaziukonis (Nov 26)
- Re: IP to MAC mapping _rAt_ (Nov 26)
- Re: IP to MAC mapping Richard Westlake (Nov 25)
- RE: IP to MAC mapping Burton M. Strauss III (Nov 25)
- Re: IP to MAC mapping Shanon (Nov 28)
- RE: IP to MAC mapping Seth Connolly (Nov 25)
- Re: IP to MAC mapping Jon (Nov 25)
- Re: IP to MAC mapping Devdas Bhagat (Nov 25)
- Re: IP to MAC mapping Robert Hogan (Nov 26)
- Message not available
- Re: IP to MAC mapping Devdas Bhagat (Nov 26)
- Enforcing IE not cache usr/passwords and parsing the current cache Mark (fat) (Nov 28)
- RE: IP to MAC mapping Ian Lyte (Nov 25)
- RE: IP to MAC mapping Steinar Skjelanger (Nov 27)
- RE: IP to MAC mapping Wolf, Glenn (Nov 25)