Re: [fw-wiz] Static ARP firewall advice

From: Greg Dickinson (gdickinson_at_indiansprings.org)
Date: 04/09/04

  • Next message: Robert L. Wanamaker: "RE: [fw-wiz] IP migration on "hub" VPN terminus [long]" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Fri, 09 Apr 2004 16:16:52 -0500

    Thank you all for your advice.

    Yes, the new proxy server that I install will use authentication (ident
    for when they are using lab machines, and LDAP against eDirectory for
    dorm machines.)

    We had also realized that this would only be a stopgap measure against
    the brighter students - but we had to do something to maintain the
    integrity of the internet access :-) while not making it overly
    difficult for all involved.

    I hadn't thought about using PPPoE for dorm access. I may look into
    that when I upgrade the firewall to the latest version of OBSD.

    Thanks again.

    >>> Chuck Swiger <chuck@codefab.com> 04/09/04 8:51 AM >>>
    Greg Dickinson wrote:
    [ ... ]
    > I am currently in the process of reloading the proxy server to get it
    > off RH9, but in the interim I was wondering if there is an
    > easy/recommended way to accomplish this: I had the idea of adding
    static
    > ARP entries in the firewall so that only the specified Layer 3
    addresses
    > that match the specified Layer 2 addresses can get through the
    firewall.
    > However (as you can imagine) this is a nightmare to maintain, as well
    > as difficult for the local administrator to add static ARP entries (he
    > has to add the addresses to /etc/rc.local and reboot the firewall
    > everytime [yes, I know a reboot is not required...but it's simpler...
    > :-> ])

    On most systems, you should be adding IP-to-MAC mappings via
    /etc/ethers, and
    disabling ARP on that particular network interface. While you can
    accomplish
    what you've asked for and it will work to some extent, you'll discover
    that
    clever students can also change their MAC addresses, too.

    Better approaches be to switch to using authenticating proxy servers for

    traffic (ie, squid for HTTP/HTTPS), or to require students to use PPPoE
    in
    order to get a connection (which will use an authentication mechanism
    that's
    not trivial to spoof). 

    -- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Robert L. Wanamaker: "RE: [fw-wiz] IP migration on "hub" VPN terminus [long]"