Firewall Wizards mailing list archives

Re: Static ARP firewall advice

From: "Greg Dickinson" <gdickinson () indiansprings org>
Date: Fri, 09 Apr 2004 16:16:52 -0500

Thank you all for your advice.

Yes, the new proxy server that I install will use authentication (ident
for when they are using lab machines, and LDAP against eDirectory for
dorm machines.)

We had also realized that this would only be a stopgap measure against
the brighter students - but we had to do something to maintain the
integrity of the internet access :-) while not making it overly
difficult for all involved.

I hadn't thought about using PPPoE for dorm access.  I may look into
that when I upgrade the firewall to the latest version of OBSD.

Thanks again.

Chuck Swiger <chuck () codefab com> 04/09/04 8:51 AM >>>

Greg Dickinson wrote:
[ ... ]

I am currently in the process of reloading the proxy server to get it
off RH9, but in the interim I was wondering if there is an
easy/recommended way to accomplish this: I had the idea of adding

static

ARP entries in the firewall so that only the specified Layer 3

addresses

that match the specified Layer 2 addresses can get through the

firewall.

 However (as you can imagine) this is a nightmare to maintain, as well
as difficult for the local administrator to add static ARP entries (he
has to add the addresses to /etc/rc.local and reboot the firewall
everytime [yes, I know a reboot is not required...but it's simpler...
:-> ])


On most systems, you should be adding IP-to-MAC mappings via
/etc/ethers, and 
disabling ARP on that particular network interface.  While you can
accomplish 
what you've asked for and it will work to some extent, you'll discover
that 
clever students can also change their MAC addresses, too.

Better approaches be to switch to using authenticating proxy servers for

traffic (ie, squid for HTTP/HTTPS), or to require students to use PPPoE
in 
order to get a connection (which will use an authentication mechanism
that's 
not trivial to spoof).

-- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Static ARP firewall advice Greg Dickinson (Apr 08)
- RE: Static ARP firewall advice Josh Welch (Apr 10)
- Re: Static ARP firewall advice Chuck Swiger (Apr 10)
- <Possible follow-ups>
- Re: Static ARP firewall advice Greg Dickinson (Apr 10)
- RE: Static ARP firewall advice Melson, Paul (Apr 16)