[1900] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Ethernet card addr <-> IP

daemon@ATHENA.MIT.EDU (Andrew S. Prior)
Fri Jun 19 02:21:10 1998

Date: 	Wed, 17 Jun 1998 12:30:42 -0400
From: "Andrew S. Prior" <andrew@cs.toronto.edu>
To: Richard Hakim <richard@kokoro.com>
cc: linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.96.980616175000.1160A-100000@kokoro>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

> Someone I'm working with has a requirement to map ethernet card addresses
> to unique IP addresses,

  Would DHCP be OK?  Otherwise you're likely stuck with doing things
manually for each client.

> and then have a Linux IP masquerade server know of
> this mapping list and not allow any data to pass from any ethernet card
> that a) it doesn't know about, or b) isn't assigned the right IP.  Ideally
> it would also log this condition.

  Adding routes as needed would work, as suggested by somebody else
earlier.  If the linux box is being the gateway (I'm assuming it is since
you're talking about masquerading) then you could do we I've done if
it's OK for the bad client to connect but you find out about it.  I use
the ISC DHCP server for our residence network, and have a utility that 
checks the ARP table against the valid leases and other "expected" machines.
It does this every 30 seconds and sends me e-mail if a computer shows up
using the wrong IP/MAC address combination or wihtout a valid lease.  
I get mail when the computer shows up and then when it goes away again.

  I've also wrote a different utlity that uses SNMP to find out what MAC
addresses are connected to which port on the hubs, so if somebody starts
doing nasty things we can go knock on their door.  This one just logs any
changes it sees to the MAC address/hub port pairs.

> Does such a thing exist?  Or, alternatively, would such a module be
> difficult to write?


  I played around with the idea of adding routes to the routing tables as
leases were given out, but couldn't figure out how to do it fast enough
so that computers that are turned on don't take several minutes to be
able to communicate.  If you use leases of a day or more and are willing to
go with DHCP, I would suggest using the leases file to manipulate the
routing tables.

							Andrew

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post