-----BEGIN PGP SIGNED MESSAGE----- Hi everyone - Someone I''m working with has a requirement to map ethernet card addresses to unique IP addresses, and then have a Linux IP masquerade server know of this mapping list and not allow any data to pass from any ethernet card that a) it doesn''t know about, or b) isn''t assigned the right IP. Ideally it would also log this condition. Does such a thing exist? Or, alternatively, would such a module be difficult to write? Thanks for any help/advice, Richard Hakim -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNYaweRtDLhF9q3BlAQHoJQP/YaO1Upd4vlObrwGFFAoGgMNYPInBQkJs u7R39INxZR5bnrDfhQC4OQKpK0tY97/rTKtwDDAOaP77Fl6UVZ0yYAaNMYxL+5T1 vy1a4QAIUn2UCR8Vc1MX2liV0s3fWRzkj2rpjWguwS2ADEU+JU+xKzohj+baG41n eygjXVpMbKY=VAUo -----END PGP SIGNATURE-----
Richard Hakim wrote:> > Hi everyone - > > Someone I''m working with has a requirement to map ethernet card addresses > to unique IP addresses, and then have a Linux IP masquerade server know of > this mapping list and not allow any data to pass from any ethernet card > that a) it doesn''t know about, or b) isn''t assigned the right IP. Ideally > it would also log this condition.Ifconfig your ethernet with the noarp option. Add static (but not public) arp entries for your hosts. Bingo! Roger. -- Actor asks a collegue: "To what do you owe your success in acting?" Answer: "Honesty. Once you''ve learned how to fake that, you''ve got it made." -------- Custom Linux device drivers for sale! Call for a quote. ---------- Email: R.E.Wolff@BitWizard.nl || Tel: +31-15-2137555 || FAX: +31-15-2138217
> Someone I''m working with has a requirement to map ethernet card addresses > to unique IP addresses,Would DHCP be OK? Otherwise you''re likely stuck with doing things manually for each client.> and then have a Linux IP masquerade server know of > this mapping list and not allow any data to pass from any ethernet card > that a) it doesn''t know about, or b) isn''t assigned the right IP. Ideally > it would also log this condition.Adding routes as needed would work, as suggested by somebody else earlier. If the linux box is being the gateway (I''m assuming it is since you''re talking about masquerading) then you could do we I''ve done if it''s OK for the bad client to connect but you find out about it. I use the ISC DHCP server for our residence network, and have a utility that checks the ARP table against the valid leases and other "expected" machines. It does this every 30 seconds and sends me e-mail if a computer shows up using the wrong IP/MAC address combination or wihtout a valid lease. I get mail when the computer shows up and then when it goes away again. I''ve also wrote a different utlity that uses SNMP to find out what MAC addresses are connected to which port on the hubs, so if somebody starts doing nasty things we can go knock on their door. This one just logs any changes it sees to the MAC address/hub port pairs.> Does such a thing exist? Or, alternatively, would such a module be > difficult to write?I played around with the idea of adding routes to the routing tables as leases were given out, but couldn''t figure out how to do it fast enough so that computers that are turned on don''t take several minutes to be able to communicate. If you use leases of a day or more and are willing to go with DHCP, I would suggest using the leases file to manipulate the routing tables. Andrew
On Tue, 16 Jun 1998, Richard Hakim wrote:> Someone I''m working with has a requirement to map ethernet card addresses > to unique IP addresses, and then have a Linux IP masquerade server know of > this mapping list and not allow any data to pass from any ethernet card > that a) it doesn''t know about, or b) isn''t assigned the right IP. Ideally > it would also log this condition.Hardwire the arp table with arp -s for each card/address. Use ipfwadm to allow input on eth0 from the known addresses, and deny with logging input from any other IPs. Shouldn''t be at all difficult. Here''s another IP Masq question. Has anyone ever setup a Masq gateway such that depending on the remote address, either masquerading or routing is done? I think I can do this by having accept forwarding rules for a few remote destinations and a masq rule for all others (0.0.0.0/0). Shouldn''t be a problem...I just wonder if it''s been done. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or Network Administrator | drawn and quartered...whichever Florida Digital Turnpike | is more convenient. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
linux-sec@xencat.demon.co.uk
1998-Jun-18 05:15 UTC
[linux-security] Re: Ethernet card addr <-> IP
On Wed, Jun 17, 1998 at 08:13:09AM +0200, Rogier Wolff wrote:> Richard Hakim wrote: > > > > Hi everyone - > > > > Someone I''m working with has a requirement to map ethernet card addresses > > to unique IP addresses, and then have a Linux IP masquerade server know of > > this mapping list and not allow any data to pass from any ethernet card > > that a) it doesn''t know about, or b) isn''t assigned the right IP. Ideally > > it would also log this condition. > > Ifconfig your ethernet with the noarp option. Add static (but not > public) arp entries for your hosts. Bingo!cept, when someone does ifconfig eth0 hw ether {allowedhwaddress} change to corresponding ip and bingo you talk to/use th IP masq server. i don''t know how this would behave with 2 machines on the same ethernet with same ip/hw address, but al you would have to do is wait until one of the allowed hosts is down. but this is just an example of problem of people using hw addresses for things they were not ment, eg access control oh and if they can do that they can figure out the correct hw/ip pair with tcpdump etc.> > Roger.murble -- bill PGP [1024/5DC6EF85/93E5 E075 6F90 0530-8ECC 7E00 98BD D803] bill@xencat.demon.co.uk or somtimes W.A.Boughton@herts.ac.uk
Glynn Clements wrote:> > > Rogier Wolff wrote: > > > > Someone I''m working with has a requirement to map ethernet card addresses > > > to unique IP addresses, and then have a Linux IP masquerade server know of > > > this mapping list and not allow any data to pass from any ethernet card > > > that a) it doesn''t know about, or b) isn''t assigned the right IP. Ideally > > > it would also log this condition. > > > > Ifconfig your ethernet with the noarp option. Add static (but not > > public) arp entries for your hosts. Bingo! > > That will stop people from hijacking packets using ARP spoofing, but I > think that the original question was about doing it the other way > around, i.e. ensuring that the *source* MAC address matches the > *source* IP address. Can this be done?My guess is "not by default". My hack above also doesn''t work: this would disallow the server answering the arps from the client. I would have thought that a published arp would still get published, but I checked the source: no. If you would want to do this, you would alas still have to hack a little at the source. The neatest option would be to split the NO_ARP option in "don''t send arp requests" and "don''t answer arp requests". Let me reiterate: system admins fear most the attack that they themselves know how to perform. I see groups of sysops afraid for IP spoofing (these disallow "trusted hosts"). I see others afraid for packet loggers (these disallow "rsh" & friends). If you make the server not arp for the clients, but instead use a static table, you make it one step harder for an attacker to put in a linux floppy and spoof a trusted host. (If you just use my hack above, you''ll need to turn the interface promisc for it to work). If you complete the whole thing to check source ethernet addresses as well, you will require an attacker to add two lines to an ethernet driver before spoofing your server. (I know how to do THAT, so I''m not impressed by protection methods relying on this not being done). Roger.> > -- > Glynn Clements <glynn@sensei.co.uk> >-- Actor asks a collegue: "To what do you owe your success in acting?" Answer: "Honesty. Once you''ve learned how to fake that, you''ve got it made." -------- Custom Linux device drivers for sale! Call for a quote. ---------- Email: R.E.Wolff@BitWizard.nl || Tel: +31-15-2137555 || FAX: +31-15-2138217
On Wed, 17 Jun 1998, Jon Lewis wrote:> [ ... ] > > Here''s another IP Masq question. Has anyone ever setup a Masq gateway > such that depending on the remote address, either masquerading or routing > is done? I think I can do this by having accept forwarding rules for a > few remote destinations and a masq rule for all others (0.0.0.0/0). > Shouldn''t be a problem...I just wonder if it''s been done. >In my network masquerading is set up exactly the way you propose and it works fine. Packets are masqueraded at backbone routers only if they are going outside the local network. Routes to 192.168. subnets are broadcasted with high metric, so they don''t get outside. Greetings, __ __ / /__ _______ ___ ___/_ Szymon Juraszczyk, e-mail: jorgus@t19.ml.org / // / _ \/ __/ _ / // (_-< Network administrator in DS T-19, Wroclaw, Poland \___/\___/_/ \_, /\_,_/___/ Student of Software Engineering at /___/ Wroclaw University of Technology
On Wed, 17 Jun 1998, Jon Lewis wrote:> Here''s another IP Masq question. Has anyone ever setup a Masq gateway > such that depending on the remote address, either masquerading or routing > is done? I think I can do this by having accept forwarding rules for a > few remote destinations and a masq rule for all others (0.0.0.0/0). > Shouldn''t be a problem...I just wonder if it''s been done.In many cases we''ve needed to write a forward/nomasq rule for routers that handle both internal and external traffic like this: ipfwadm -F -a accept -S 172.25.0.0/16 -D 172.25.0.0/16 -P all -b ipfwadm -F -a accept -m -S 172.25.0.0/16 -D 0/0 -P all -b Otherwise the internal traffic gets masqueraded. Peter ----- Peter H. Lemieux, President CYWAYS, Incorporated 21 Westchester Road, Newton, Massachusetts 02158 USA Voice: (800) 5-CYWAYS (+1 617 796 8995) Fax: (617) 796-8997 Web: http://www.cyways.com