Firewall Wizards mailing list archives
Re: Static ARP firewall advice
From: "Greg Dickinson" <gdickinson () indiansprings org>
Date: Fri, 09 Apr 2004 16:16:52 -0500
Thank you all for your advice. Yes, the new proxy server that I install will use authentication (ident for when they are using lab machines, and LDAP against eDirectory for dorm machines.) We had also realized that this would only be a stopgap measure against the brighter students - but we had to do something to maintain the integrity of the internet access :-) while not making it overly difficult for all involved. I hadn't thought about using PPPoE for dorm access. I may look into that when I upgrade the firewall to the latest version of OBSD. Thanks again.
Chuck Swiger <chuck () codefab com> 04/09/04 8:51 AM >>>
Greg Dickinson wrote: [ ... ]
I am currently in the process of reloading the proxy server to get it off RH9, but in the interim I was wondering if there is an easy/recommended way to accomplish this: I had the idea of adding
static
ARP entries in the firewall so that only the specified Layer 3
addresses
that match the specified Layer 2 addresses can get through the
firewall.
However (as you can imagine) this is a nightmare to maintain, as well as difficult for the local administrator to add static ARP entries (he has to add the addresses to /etc/rc.local and reboot the firewall everytime [yes, I know a reboot is not required...but it's simpler... :-> ])
On most systems, you should be adding IP-to-MAC mappings via /etc/ethers, and disabling ARP on that particular network interface. While you can accomplish what you've asked for and it will work to some extent, you'll discover that clever students can also change their MAC addresses, too. Better approaches be to switch to using authenticating proxy servers for traffic (ie, squid for HTTP/HTTPS), or to require students to use PPPoE in order to get a connection (which will use an authentication mechanism that's not trivial to spoof). -- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Static ARP firewall advice Greg Dickinson (Apr 08)
- RE: Static ARP firewall advice Josh Welch (Apr 10)
- Re: Static ARP firewall advice Chuck Swiger (Apr 10)
- <Possible follow-ups>
- Re: Static ARP firewall advice Greg Dickinson (Apr 10)
- RE: Static ARP firewall advice Melson, Paul (Apr 16)