I've got an OpenBSD 3.6 firewall (yea, old, will upgrade soon) and I'm
trying to block one noodnik user from the network it controls. For a
variety of reasons, it's going to be easiest to do this by targeting
his MAC address (yea, I know they can be spoofed, but this guy isn't
that clueful).

I'm trying a suggestion seen on some forums that suggests creating a
static arp entry for that MAC and then make sure the new (bogus) IP
it's assigned to is blocked by pf. The pf part is no trouble, but when
I try the arp magic, I still (later) get an entry in the arp table for
the user's original IP address, too, and he can still access:

# arp -d idiot1.internal <-make sure he's not in the arp table
under his original IP
idiot1.internal (192.168.2.151) deleted

# arp -s -F 192.168.250.250 00:f1:e2:9b:95:89 permanent pub <-
create the new static arp entry

(wait 10-15 seconds)

#arp -a
xy11.somenet.net (62.34.173.1) at 00:90:1a:04:a2:a2 on xl0
idiot1.internal (192.168.2.151) at 00:f1:e2:9b:95:89 on rl0
<-what the ???
(192.168.250.250) at 00:f1:e2:9b:95:89 on rl0 permanent static
published

Notice that the last two entries have the same MAC address...no matter
how many times I delete the first version, the guy always always
comes
back under his original (static) IP - usually after 10 seconds or so -
and has full access using his normal (static - 192.168.2.151) IP
address.

In case it matters, the user is connecting via a wireless access point
that's in bridging mode (not a router, otherwise I'd suppose I
wouldn't see their MAC address come through).

Thoughts? Help?

On 2008-11-17, Jonathan Rogers <thatseattleguy@gmail.com> wrote:
> I've got an OpenBSD 3.6 firewall (yea, old, will upgrade soon) and I'm
> trying to block one noodnik user from the network it controls. For a
> variety of reasons, it's going to be easiest to do this by targeting
> his MAC address (yea, I know they can be spoofed, but this guy isn't
> that clueful).

[ ... ]

> Notice that the last two entries have the same MAC address...no matter
> how many times I delete the first version, the guy always always
> comes
> back under his original (static) IP - usually after 10 seconds or so -
> and has full access using his normal (static - 192.168.2.151) IP
> address.

Hmm ... that static address is not going to change? Then block
using it -- if nobody else is likely to get it. (Perhaps remove it from
the list which DHCP will issue to others?)

Anyway -- once you are sure that it will always be him with that
IP address, why not simply route him into oblivion?

route add 192.168.2.151 127.0.0.1

so any packet which tries to reach him will instead dead-end at the
system's loopback address. :-)

If he knows enough to change his IP address -- then it becomes
more complex. Perhaps keep scanning (from a cron job) the DHCP log for
his mac address, and re-route whatever he does get to 127.0.0.1 (freeing
whatever you may already be blocking). This will let him have a few
minutes of access, depending on how often you search the logs and update
the blocking, but it will keep him from doing anything of any duration.

> In case it matters, the user is connecting via a wireless access point
> that's in bridging mode (not a router, otherwise I'd suppose I
> wouldn't see their MAC address come through).
>
> Thoughts? Help?

The above might work for you. Or someone else might come up
with a way to do it with the older pf which you are running.

Good Luck,
DoN.

--
Email: <dnichols@d-and-d.com> | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

RFTA. He knows enough to change his IP address - I thought that was
fairly obvious from the original discussion. (If I know how to use pf
to block the non-existent arp-assigned address, then surely I would
know how to block a normal IP address, yes?)

My original question still stands - even if there are other ways
(bridging) to accomplish this, I'd like to understand what's going
wrong with the arp-based approach to further my own understanding of
how that works on OpenBSD.

>Hmm ... that static address is not going to change?

RTFA. Of course he knows enough to change his IP address - I thought
that was implicit in the original discussion. (If I know how to use pf
to block the non-existent, phony, arp-assigned address, then surely I
would know how to block a normal static IP address, yes?)


My original question still stands - even if there are other, better
ways (such as bridging) to accomplish blocking a single MAC address,
I'd like to understand what's going wrong with the arp-based approach
- if only to further my own understanding of how that works on
OpenBSD.

In
news:d0fca22f-94b4-40b2-a724-6cc459c86c16@35g2000pry.googlegroups.com,
Jonathan Rogers <thatseattleguy@gmail.com> typed:

>> Hmm ... that static address is not going to change?
>
> RTFA. Of course he knows enough to change his IP address - I thought
> that was implicit in the original discussion. (If I know how to use pf
> to block the non-existent, phony, arp-assigned address, then surely I
> would know how to block a normal static IP address, yes?)
>
>
> My original question still stands - even if there are other, better
> ways (such as bridging) to accomplish blocking a single MAC address,
> I'd like to understand what's going wrong with the arp-based approach
> - if only to further my own understanding of how that works on
> OpenBSD.

man brconfig

Check 'rule' keyword.


--
Pozdrawiam
Piotrek Kapczuk