Author |
Message |
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 24.01.2007 - 19:50 #44809
|
|
Guru
Joined: Mar 13, 2005
Posts: 1867
Location: Nitra
|
|
pixall wrote: › airbilly wrote: › pixall wrote: › 100 zaznamov na 200mhz strojoch (w4k) a load brutalnych 0.00...
Na wifi sietach to nema zmysel, staci dat zariadenie do modu wisp, zakaznikovi tam nedat pristup a netreba riestit ziadny mac/ip filter. Jednoducho si tu ip nezmenia.
a co pripad ked si kliento odpoji zariadenie a nahodi svoje? pripadne co rovno votrelec?
Nema pravo si zariadenie menit, ked zmeni musi naklonovat mac aby sa pripojil. Tymto vsak porusi podmienky. Na ap bezi mac control.
Myslim, ze votrelca daky mac + ip filter nezadrzi, lahko si odchyti spravnu kombinaciu. |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 24.01.2007 - 19:53 #44811
|
|
Guru
Joined: Mar 13, 2005
Posts: 1867
Location: Nitra
|
|
icerowicz wrote: ›
Vcera sa mi stlao, ze zakaznik mal pridelenu ip,na comp nahodil si svojvolne na APCKO switch, pripojil si notebook a dal si na neho ip o jednu vyssiu ako mal na compe. A konflikt v sieti bol na svete
Prave pre tieto pripady mam spustene na kazdej lan a ap dhcp server, a nasledne shaping, ktory neregistrovanym ip pusti len maly traffic cca 130kbit a najnizsiu prioritu. |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 27.01.2007 - 19:00 #44899
|
|
Ucen
Joined: Apr 12, 2006
Posts: 930
Location: Vranov nad Topľou
|
|
nahadzujem ipsec. the end |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 11.10.2007 - 13:42 #57743
|
|
Basic
Joined: Feb 26, 2005
Posts: 140
Location: Pieštany,vidiek
|
|
zdravim mam na Linuxovej brane spraveny IP filter takto:
Code: › iptables -A FORWARD -s 192.168.1.3 -i eth0 -j ACCEPT
iptables -A FORWARD -d 192.168.1.3 -j ACCEPT
problem je ten ze mi jeden uzivatel zacal pouzivat IP adresu ineho cize chcel by som doplnit IP filter o MAC adresu je mi jasne ze aj to sa da obist ale aspon ho na chvilu zdrzim, plus by som chcel doplnit IPtables aby posielali LOG do /usr/temp/ |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 11.10.2007 - 17:08 #57752
|
|
Basic
Joined: Feb 26, 2005
Posts: 140
Location: Pieštany,vidiek
|
|
vyriesene
Code: › iptables -A FORWARD -m mac --mac-source XX:XX:XX:XX:XX:XX -s 192.168.1.3 -j ACCEPT
iptables -A FORWARD -m mac --mac-source YY:YY:YY:YY:YY:YY -s 192.168.1.4 -j ACCEPT
+ vycitanie spravnych MAC z ARP tabulky |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 11.10.2007 - 22:16 #57761
|
|
Basic
Joined: Júl 04, 2007
Posts: 476
|
|
Robert wrote: ›Otazka, ako je to v tom systeme implementovane. Snad to pouziva nejake tie hashovacie tabulky alebo aspon binarne stromy. Ak by sa to malo linearne prehladavat, pri 600 zaznamoch by to naozaj bolo o dusu.
[spam]
hashovacie tabulky to nebudu ked som si precital ako to zatazi procesor, lebo pri hashovani je vykonnost lepsia ako najdomyselnejsia stromova struktura, mozno to bude ADT pole ale ani to by nemalo tak zatazit kompik
[/spam] |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 16.01.2008 - 13:58 #60694
|
|
Ucen
Joined: Sep 06, 2004
Posts: 684
Location: hranica s ukrajinou...
|
|
Code: › add chain="forward" src-address=192.168.2.x/32 src-mac-address=00:00:00:00:00:00 action=accept comment="Jmeno uživatele" disabled=no
Code: › add chain="forward" src-address=192.168.2.0/24 action=drop comment="Stop ostatni nezadane adresy" disabled=no
vedel by mi neikto povedat ako to mam nastavit? mam taku topologiu
problem je vtom ze ak spravim taketo pravidlo nalavo hore, tak to nefunguje pre subnet 192.168.0.x jedine ak by som to spravil na MK napravo hore |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 16.01.2008 - 14:28 #60695
|
|
|
musis do toho pravidla pridat input-intervace, pretoza sa to inak uplatnuje na vsetky interface. |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 16.01.2008 - 14:32 #60696
|
|
Majster
Joined: Okt 31, 2006
Posts: 2062
Location: TT
|
|
sprav to cez manglovanie , poznačuj si pakety ktore splnajumac+ip trebar značkou OK taktiež si takto označ pakety z jednotlivých subnetov teda tiež ako ok a potom si sprav pravidlo kde sa bude dropovať všetko čo nemá označenie ok |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 16.01.2008 - 15:11 #60698
|
|
Ucen
Joined: Sep 06, 2004
Posts: 684
Location: hranica s ukrajinou...
|
|
for andreas4all, takto to nefunguje - packets a bytes stale 0
for Thomas, mozes mi to viacej rozpisat? |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 16.01.2008 - 15:49 #60700
|
|
Majster
Joined: Okt 31, 2006
Posts: 2062
Location: TT
|
|
Označ tagom OK pakety ktore splnaju podmienku IP+MAC a vstupuju na interface TEST
Code: › add action=mark-packet chain=input comment="" \
in-interface=TEST new-packet-mark=OK passthrough=yes \
src-address=172.17.222.1 src-mac-address=AA:AA:AA:AA:AA:0A
Potom dropni to čo tam nema čo robiť teda to čo nema tag OK a vstupuje na interface TEST
Code: ›
add action=drop chain=input comment="" disabled=no in-interface=TEST packet-mark=!OK
Samozrejme ipky a nazvy rozhrani si pomen tak ako potrebuješ |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 16.01.2008 - 15:59 #60701
|
|
|
to matos1 > zaujmave... preco si potom ludia u nas nemozu menit IP neviem, ze im to potom nefunguje....
Code: ›
chain=forward action=accept in-interface=wlan_AP1 src-address=192.168.1.25 src-mac-address=MM:AA:CC:MM:AA:CC
a na koniec drop, alebo pred to este logovanie, pripadne pridanie do src-listu
Code: ›
;;; ADD_SRC-LIST_BAD_IPvsMAC
chain=forward action=add-src-to-address-list in-interface=wlan_AP1 address-list=BAD_IPvsMAC
address-list-timeout=1w3d
chain=forward action=log in-interface=wlan_AP1 log-prefix="BAD_IPvsMAC"
chain=forward action=drop in-interface=wlan_AP1
|
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 16.01.2008 - 18:47 #60706
|
|
Ucen
Joined: Jan 15, 2005
Posts: 768
|
|
Preco to riesite tak zlozito? Krajsie riesenie je staticka ARP tabulka a nezatazuje to zbytocne CPU tolkymi FW pravidlami |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 16.01.2008 - 22:08 #60721
|
|
|
v poslednej dobe to riesim ako lol. |
|
|
|
|
|
|
Post subject: RE: Kontrola mac vs ip adresa
Posted: 16.01.2008 - 22:29 #60722
|
|
Majster
Joined: Okt 31, 2006
Posts: 2062
Location: TT
|
|
no mne tak ani nejde o tenprocesor , pokial sa da tak staviame body na pc takže tam je dostatok priestoru na taketo veci a na hlavnej GW sa robi akurat tak nat shaping a beži tam fUP skript |
|
|
|
|
|
|
Powered by PNphpBB2 © 2003-2005 The PNphpBB Group Credits |