On 2007-11-26 00:33, Amadeus wrote: > I could force a MAC address to use a specific IP in dhcpd, but again, > they could just configure their IP manually.
Well, if you *could* be doing this, then you already *should* be doing this. If you know which systems are supposed to be on your network, it's only sensible to preallocate the IPs so that when a packet comes along you know which system it's supposed to be from without having to dig through the DHCP leases. The data is already there in the leases; just transfer it to the config. > Do you have any suggestions for this problem? Associate fixed IPs with every box in the DHCP config as discussed above, then assign a static arp entry for every legitimate IP, then disable native arp. If your users change MACs, then the firewall won't be able to talk to them. The weakness is then that if a box is offline, they can borrow its MAC and IP combination, if they know it. The catch is I'm not sure whether you can disable native arp on NetBSD. If not, you could use arpwatch to trigger a script to blackhole any new MACs that show up. Another suggestion: make users sign an acceptable use policy in exchange for access, and report violators to management. Enforceable policy is always an effective alternative where technical methods fail. Or there's always IPsec. Or what Darren said. -- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]> "Never try to retrieve anything from a bear."--National Park Service
