Re: [fw-wiz] Static ARP firewall advice
From: Chuck Swiger (chuck_at_codefab.com)
To: Greg Dickinson <email@example.com> Date: Fri, 09 Apr 2004 09:51:41 -0400
Greg Dickinson wrote:
[ ... ]
> I am currently in the process of reloading the proxy server to get it
> off RH9, but in the interim I was wondering if there is an
> easy/recommended way to accomplish this: I had the idea of adding static
> ARP entries in the firewall so that only the specified Layer 3 addresses
> that match the specified Layer 2 addresses can get through the firewall.
> However (as you can imagine) this is a nightmare to maintain, as well
> as difficult for the local administrator to add static ARP entries (he
> has to add the addresses to /etc/rc.local and reboot the firewall
> everytime [yes, I know a reboot is not required...but it's simpler...
> :-> ])
On most systems, you should be adding IP-to-MAC mappings via /etc/ethers, and
disabling ARP on that particular network interface. While you can accomplish
what you've asked for and it will work to some extent, you'll discover that
clever students can also change their MAC addresses, too.
Better approaches be to switch to using authenticating proxy servers for
traffic (ie, squid for HTTP/HTTPS), or to require students to use PPPoE in
order to get a connection (which will use an authentication mechanism that's
not trivial to spoof).
-- -Chuck _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards