John Andersen wrote:
On Mon, May 12, 2008 at 1:48 PM, Sam Clemens
wrote: Shawn Holland wrote:
Hi,
My current setup has multiple IP ranges where I use mac filtering to specify what IP ranges specific computers will get. The same server will be the gateway to the Internet. What I am looking for is a way to enforce specific MAC Addresses to only be allowed to use specific IP's. Like I said above I have it locked down in DHCP, but its a simple matter of setting a static IP to bypass the dhcp server. I have been reading through SuSEfirewall2 and haven't found anything apparent that I could use to enforce this.
Can anyone point me in the right direction on how to use iptables / SuSEfirewall2 to only permit traffic from a mac address when its using a specific IP or IP Range?
With the amount of work it requires to get the mac address of a specific machine, why don't you just NOT USE DHCP and assign each machine a static address.
Unless you're constantly shuffling their IP addresses by hand, that would seem to be the simple, effective solution.
Using DHCP to make static addresses is like driving a tractor-trailer truck to borrow a cup of sugar from your neighbor.
1) First, assigning static ips does not help him control who uses what IP to gain access to a specific route. Any user could simply reset his own IP.
2) Second its only EASY to get all IPs if you shop is very small and the hardware is very stable.
3) Running a dhcp server is not inefficient, as you imply. It uses virtually no resoruces, is drop dead simple to set up and maintain.
I wasn't talking about CPU resources, I was talking about HIM... having to go around from machine to machine to collect MAC addresses...and then type them in.
Besides, and in-house dhcp server has many additional side benefits to just handing out IPs. If any roaming laptops are involved, you will find a great deal of resistance from users that don't want to convert back and forth from static to dynamic each time the machine enteres or leaves the premises.
Further with a dhcp server you can do nifty things like split dns so things like your internal Imap server appears at the appropriate interface depending on where you are (inside or outside). Same for company web servers.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org