On 2014-11-28, thev...@openmailbox.org <thev...@openmailbox.org> wrote:
>> If say machine 192.168.0.2 and 192.168.0.3 needs unrestricted access to >> the net, then wont it be as easy as "Joe" changing his machines IP >> address to 192.168.0.2 to gain access without authentication? > > theoretically this is possible, but only if the original machine holding > the ip was down. just as a nameserver converts to an ip, the ip is converted > to a MAC-address, which is associated with the NIC. if you want you can > permantly associate an ip with a mac, that way another machine cannot use > that ip address, even if the rightful holder is down. see arp(8). But that other machine can also take on the same MAC address. Neither IP nor MAC address reliably authenticate a machine. If you need authenticated traffic, the tool is IPsec. Use isakmpd or iked to set up an authenticated security association and configure pf to only pass (1) IKE negotiation and (2) decapsulated traffic from the enc interface. Or tag on enc and filter on the tag. -- Christian "naddy" Weisgerber na...@mips.inka.de
