Re: [fw-wiz] Static ARP firewall advice

From: Chuck Swiger (chuck_at_codefab.com)
Date: 04/09/04

  • Next message: Greg Dickinson: "Re: [fw-wiz] Static ARP firewall advice" 
    To: Greg Dickinson <gdickinson@indiansprings.org>
Date: Fri, 09 Apr 2004 09:51:41 -0400

    Greg Dickinson wrote:
    [ ... ]
    > I am currently in the process of reloading the proxy server to get it
    > off RH9, but in the interim I was wondering if there is an
    > easy/recommended way to accomplish this: I had the idea of adding static
    > ARP entries in the firewall so that only the specified Layer 3 addresses
    > that match the specified Layer 2 addresses can get through the firewall.
    > However (as you can imagine) this is a nightmare to maintain, as well
    > as difficult for the local administrator to add static ARP entries (he
    > has to add the addresses to /etc/rc.local and reboot the firewall
    > everytime [yes, I know a reboot is not required...but it's simpler...
    > :-> ])

    On most systems, you should be adding IP-to-MAC mappings via /etc/ethers, and
    disabling ARP on that particular network interface. While you can accomplish
    what you've asked for and it will work to some extent, you'll discover that
    clever students can also change their MAC addresses, too.

    Better approaches be to switch to using authenticating proxy servers for
    traffic (ie, squid for HTTP/HTTPS), or to require students to use PPPoE in
    order to get a connection (which will use an authentication mechanism that's
    not trivial to spoof). 

    -- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Greg Dickinson: "Re: [fw-wiz] Static ARP firewall advice"

    Relevant Pages

    • RE: IM Programs
      ... Set up a proxy server, and set a rule that only allows your proxy server ... their browsers to the firewall... ... Instant Messengers, ... Authentication servers across multiple machines and subnets. ...
      (Security-Basics)
    • Re: ISA vs. Firewall
      ... I guess my previous question sort of resembles the implementation of public ... proxy server. ... Is it safe to equate ISA with firewalls? ... The term "firewall" is generic and refers to any ...
      (microsoft.public.isa)
    • Re: Cascading firewalls
      ... > Smoothwall NIC running to a switch and to have all the other PCs on the LAN, ... > in the firewall to restrict outward access to proxy only. ... it would be better to have the proxy server segmented from the ...
      (comp.security.firewalls)
    • Re: How to allow for programs through ISA 2000
      ... Network Proxy Server such as ISA Server. ... firewall or proxy server to perform Smart Update, ...
      (microsoft.public.isa)
    • Re: Cascading firewalls
      ... >> Smoothwall NIC running to a switch and to have all the other PCs on the LAN, ... >> in the firewall to restrict outward access to proxy only. ... it would be better to have the proxy server segmented from the ... Internet ...
      (comp.security.firewalls)