Re: IP to MAC mapping

[Devdas Bhagat <dvb () users sourceforge net>]

On 26/11/02 12:38 -0500, Ben Corman wrote:
> How would you built that ruleset automatically from a database? We are
> running a PIX here, and there has been some discussion about doing this
> exact thing, but no one can figure out you would go about doing that.
I think this might be useful to other posters too, so here goes.

I assume a flat network here, so that client MAC addresses are available
to the firewall. Any router will hide MAC addresses.

Part 1: Get the MAC addresses into the database.
CREATE TABLE arp (
        ethernet_addr   char(17),
        ip_addr         varchar(15)
);

If you can do this manually, pretty nice. If not (like an ISP assigning
IP addresses via DHCP and not tying them to the MAC address), you need
to parse the DHCP server logs. Use a Perl script to move the ip
address/mac address pairs to the database. 

Part 2: Get the ruleset to the firewall
Again, Perl to your rescue. Use Perl to ssh to the firewall, and send
over rules generated from the database.

In a specific case, I was required to provide billing based on usage
time and data transferred. For this, the solution used was a Linux box
running Apache, iptables, Perl and Postgresql.
On connecting, the user would automatically be redirected to a login
page, when (s)he would have to authenticate. On authentication, the
client IP would be added to the database of logged in users and a signal
would be sent to a script which would insert the rule into the iptables
ruleset. this would log a timestamp into the database.
When the user logged out, or the box would not respond to a ping, the
session would be terminated. Terminating the session involved grabbing
the data transfer for that particular ip from the iptables rule, and
logging the removal timestamp followed by actual deletion of the rule.
The default rule in this case was a redirect, but could easily become a
DROP.

I hope this helps.

Devdas Bhagat