Yes you can switch your MAC and IP and gain access the same as what that MAC and IP were using before. But I can't think of any outside solutions (non-local to the computer changing the MAC / IP) that could enforce restrictions. Basically your the same device as what was just using those MAC / IP. On topic again. I have successfully created a set of iptables rules that enforce IP's to MAC's. (only to the pool level) And I already have a mechanism that automates the process to my requirements. If anyone is interested: in /etc/sysconfig/scripts/SuSEfirewall2-custom inside fw_custom_before_masq() #To allow specific access to a mac and ensure it is on a specific network (stop static ip) iptables -A INPUT -j ACCEPT -s 10.10.10.0/24 -m mac --mac-source 00:17:42:8E:F4:32 #To allow unregistered range to talk to all services on the server iptables -A INPUT -j ACCEPT -s 10.0.0.0/24 -d 172.16.1.1/32 iptables -A INPUT -j ACCEPT -s 10.0.0.0/24 -d 10.10.10.1/32 #To deny unregistered range to talk to any registered ranges iptables -A INPUT -j DROP -s 10.0.0.0/24 -d 172.16.1.0/24 iptables -A INPUT -j DROP -s 10.0.0.0/24 -d 10.10.10.0/24 #To deny registered traffic by default (stop static ip) iptables -A INPUT -j DROP -s 10.10.10.0/24 iptables -A INPUT -j DROP -s 172.16.1.0/24 I have (just for testing purposes) the 172.16.1.0/24 range as a routed pool and the other 2 as a natted pool. The 10.0.0.0/24 range is an unregistered client range that is only masq'd for communication on DHCP, DNS, and port 80. I then force redirect on port 80 to port 3128 and using squid/squidGuard force through the local webserver in which they will be required to register. Then the registration process updates and moves them to a registered pool. Its all tested out by hand and works exactly how I need it. -- Regards, Shawn Holland On Tue, 2008-05-13 at 16:36 +0200, jdd sur free wrote:
Carlos E. R. wrote:
- If the PC has the proper MAC, the dhcp gives the correct IP. - If the user sets another MAC, the switch denies entry.
in wireless (and it's enough some part of the net is wireless) you can do:
listen the net. every wireless device *have* to announce it's mac. The other also, to have a dhcp answering...
wait for this station to stop (evening or week end)
connect wireless with *this* mac... you are in
of course this don't take account of passwd. wep passwd can be (automatically) found by minutes. wap as said to be secure...
jdd
-- Jean-Daniel Dodin Président du CULTe www.culte.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org