RE: [fw-wiz] Static ARP firewall advice

From: Josh Welch (
Date: 04/09/04

  • Next message: Chuck Swiger: "Re: [fw-wiz] Static ARP firewall advice"
    To: <>
    Date: Fri, 9 Apr 2004 07:57:31 -0500

    Greg Dickinson said:
    > I've done some fairly extensive research on this subject, and can't get
    > a definitive answer. I solicit your advice.
    > I manage the firewall for a local boarding school as a side job. The
    > campused students are allowed to bring their own PC's to connect to the
    > campus network for internet access in their rooms. The firewall has 4
    > interfaces, one for the administrative LAN, one for the internet, one
    > for the dorm LAN, and one for the proxy server so it's in it's own
    > "sandbox".
    > We have statically assigned IP addresses for the students' PC's, so
    > that we can run a proxy log analysis and determine which students are
    > accessing which sites at what times. These statically assigned
    > addresses are in specific allow statements in the ruleset (pf on OBSD
    > 3.2). Recently the (rather bright) students here have figured out that
    > they can simply "steal" someone else's address and avoid detection.
    > I am currently in the process of reloading the proxy server to get it
    > off RH9, but in the interim I was wondering if there is an
    > easy/recommended way to accomplish this: I had the idea of adding static
    > ARP entries in the firewall so that only the specified Layer 3 addresses
    > that match the specified Layer 2 addresses can get through the firewall.
    > However (as you can imagine) this is a nightmare to maintain, as well
    > as difficult for the local administrator to add static ARP entries (he
    > has to add the addresses to /etc/rc.local and reboot the firewall
    > everytime [yes, I know a reboot is not required...but it's simpler...
    > :-> ])
    > To summarize: is there an easy way to maintain static ARP entries using
    > pf on OBSD 3.2? While the current firewall is OBSD, I am not married
    > to this configuration - if there is an open source firewall product that
    > will allow me to accomplish this easier, then I will recommend that to
    > the admin.
    > Thanks in advance for your time.
    > --Greg

    A particular annoyance of mine is when I pose a specific question on a list
    and I get a bunch of replies that suggest I do something entirely different,
    unfortunately I'm going to do that :)
    Is there a particular reason you haven't decided to implement user
    authentication on your proxy? It would allow you to track site visits by
    username rather than IP Address, you could then DHCP your students if you
    wanted to and remove that particular administrative hassle, unless it's
    needed for other reasons.
    Otherwise, I don't have any OpenBSD boxes to try out pf, but iptables can
    have rules written in such a fashion that if a machine has a certain
    combination of IP and MAC, it's allowed, place a rule at the end of the
    chain to DROP any other traffic and it will work. Assuming your proxy runs
    on port 80 it should be like this:
    -A INPUT -p tcp -m tcp --dport 80 -j matchmac
    -A matchmac -m mac --mac-source 00:C0:WE:45:E2:D4 -p tcp -s -j
    -A matchmac -j logmac
    -A logmac -j LOG --log-prefix "BAD MAC IP COMBO:" --log-level 7
    -A logmac -j DROP

    This will work, but if you have a large number of clients it will be icky,
    specifically at the beginning of the school year when you're trying to get
    everyone set up. I'd still suggest doing client authentication on your


    firewall-wizards mailing list

  • Next message: Chuck Swiger: "Re: [fw-wiz] Static ARP firewall advice"

    Relevant Pages

    • [fw-wiz] Static ARP firewall advice
      ... I manage the firewall for a local boarding school as a side job. ... We have statically assigned IP addresses for the students' PC's, ... is there an easy way to maintain static ARP entries using ...
    • Re: [fw-wiz] dirty packet tricks?
      ... solve via promiscuously sucking up packets. ... restriction that your 'sideways' proxy box is it will have to be on a hub ... The firewall will have to suppress all ICMP errors to the internal network ...
    • Re: [fw-wiz] httport 3snf
      ... >> wouldn't have gotten SSH out of my firewall. ... > Postfix SMTP server with a wildcard MX that handed the mail that wasn't ... > destined to me off to the downstream MS stuff, and an HTTP proxy server ... All it needs is a written policx "Internet access is ...
    • Re: Kids bypassing firewall via web proxy sites
      ... We use a Sonicwall firewall, 3060, I subscribe to content fltering, ... I checked "Access to HTTP Proxy Servers" But I am still able to get to ... CyBlock, which does network proxy and filtering ...
    • Re: NAT is not a mechanism for securing a network.. but.. HELP!
      ... tell you a NAT router is a firewall. ... > There is this one hot chick at a major American news network, ... >proxy, and come to a chat room where her and I have been chatting, she has ... >admins at the station she works for. ...