Hi,
On May 13, 2009, at 10:03 PM, Brett Glass wrote:
Stefan:
You are correct: This is not real security. In fact, I would argue
that it's not security at all.
But many businesses that have to maintain hotspots -- especially
some hotel chains -- are "allergic" to any sort of serious security.
This is because a small but vocal subset of their customers just
want to get on the Net and complain about any sort of security. Even
having to enter a password or a WEP key irks them. (I personally
think that these people are ignorant fools and are setting
themselves up for identity theft and worse, but that's just me. And
the businesses seem more willing to allow piracy of their Wi-Fi than
to irritate these boneheads.) Also, these systems have to be usable
by some fairly lame devices -- e.g. an XBox -- that aren't really
computers and don't have the capability to run secure protocols or
even a particularly good Web browser built in.
So, painful as it is, I have to help these guys implement systems
which "bless" MAC addresses. The "arp -s" command can sort of lock
an IP to a MAC address, but awkwardly and only for outbound packets.
What I'd like is to get this into the firewall, so I can not only
block spoofing but trigger a log entry when it happens.
I think /usr/ports/net-mgmt/arpwatch will be helpful then, though I
never used in on wireless.
Not that I understand how "knowing" mac address is easier for
customers then wpa2 password ;)
--Brett
At 12:46 PM 5/13/2009, Stefan Lambrev wrote:
Hi,
apr -S (or -s) is not helping?
Have in mind that this is not a real security as it's very easy to
change your MAC.
On May 13, 2009, at 7:48 PM, Brett Glass wrote:
I need to find a way to do "MAC address locking" in FreeBSD --
that is, to ensure that only a machine with a particular MAC
address can use a particular IP address. Unfortunately, it appears
that rules in FreeBSD's IPFW are "stuck" on one layer: rules that
look at Layer 2 information in a packet can't look at Layer 3, and
vice versa. Is there a way to work around this to do MAC address
locking and/or other functions that involve looking at Layer 2 and
Layer 3 simultaneously?
--Brett Glass
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org
"
--
Best Wishes,
Stefan Lambrev
ICQ# 24134177
--
Best Wishes,
Stefan Lambrev
ICQ# 24134177
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
