Prihlásiť sa Odoslať Novinky :: FAQ :: Rozšírené vyhľadávanie :: Napísali o nás :: Ankety
Main Menu
· Home
· 
· FAQ
· 
· Diskusia
· 
Main Menu
· Domov

Moduly
· AvantGo
· Downloads
· FAQ
· News
· Recommend Us
· Reviews
· Search
· Sections
· Stats
· Topics
· Top List
· Web Links
· Forum
Jazyk
Výber jazykovej mutácie:

FAQ  •  Search  •  Register  •  Log in to check your private messages
Log in  •  Maximize
The time now is 27.04.2024 - 19:03

SKFREE Forum Index » SKFree Network » Software

Kontrola mac vs ip adresa

Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Page 1 of 3 123 >
Author Message
icerowicz
Post subject: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 10:01 #44706
Ucen


Joined: Apr 12, 2006
Posts: 930
Location: Vranov nad Topľou
Bude fungovat nieco take ? pokial nie, pls opravte ma

#Zakaze vsetko
iptables -A INPUT -j DROP
#Jednotlivo povoli spojenia, pokial sedi mac a ip
iptables -I INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT


Bude to funkcne?
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
andreas4all
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 10:37 #44707
Majster


Joined: Dec 09, 2004
Posts: 2539
Location: L.A.
dedinka pri PD
iptables -I FORWARD -s 192.168.1.1 -m mac --mac-source MM:AA:CC:MM:AA:CC -j ACCEPT

a potom dropovat, uplatni sa totizto prve pravidlo, ktore vyhovuje.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
icerowicz
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 11:01 #44708
Ucen


Joined: Apr 12, 2006
Posts: 930
Location: Vranov nad Topľou
Vdaka, to s tym prvym vyhovujucim pravidlom mi nebolo jasne. A teraz hlavna otazka, aky je rozdiel medzi tymto checkovanim cez iptables a nastavenim pevnych arp zaznamov ? Myslim, vyhody / nevyhody.
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
kiwi
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 11:10 #44709
Guru


Joined: Jan 30, 2003
Posts: 1572
podla mna asi ziaden rozdiel tam nie je, ale z mojej skusenosti, ak mas za routrom vacsiu lanku, napr 600 usrov, tak ti masina s tymi iptables lahne, akokolvek silny stroj to bude, s arp to je na par promile vykonu
 
 View user's profile Send private message Send e-mail Visit poster's website ICQ Number 
Reply with quote Back to top
pixall
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 19:04 #44734
Majster


Joined: Okt 21, 2003
Posts: 4247
kiwi wrote: ›podla mna asi ziaden rozdiel tam nie je, ale z mojej skusenosti, ak mas za routrom vacsiu lanku, napr 600 usrov, tak ti masina s tymi iptables lahne, akokolvek silny stroj to bude, s arp to je na par promile vykonu


staticky arp je zverstvo a koledovanie si o problemy. to by som neriesil.
a tisic filtrovacich pravidiel v iptables nie je problem.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
si
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 20:58 #44737
Majster


Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
kiwi: nevidim dovod preco by mala masina lahnut ak by na nej bolo 600 takychto pravidiel... zrovna 600 PC priamo za jednou masinou nemam, ale nepriamo za hlavnym routerom ich je mozno aj o kusok viac, pre kazde PC je zvlast pravidlo pre in a zvlast pre out a v pohode to ten router stiha (a to tam robim este aj ine zveriny z tych iptables)
 
 View user's profile Send private message Send e-mail Visit poster's website  
Reply with quote Back to top
kiwi
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 21:32 #44739
Guru


Joined: Jan 30, 2003
Posts: 1572
ked sa cez masinu vali 60mbits in a 30 out, pri 7k/7k packetoch, verte mi ze checkovanie mac vs ip polozi aj 3.2ghz a 1gb ram
 
 View user's profile Send private message Send e-mail Visit poster's website ICQ Number 
Reply with quote Back to top
Robert
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 22:07 #44740
Majster


Joined: Okt 19, 2003
Posts: 2339
Location: Bratislava
Otazka, ako je to v tom systeme implementovane. Snad to pouziva nejake tie hashovacie tabulky alebo aspon binarne stromy. Ak by sa to malo linearne prehladavat, pri 600 zaznamoch by to naozaj bolo o dusu.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
pixall
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 22:29 #44744
Majster


Joined: Okt 21, 2003
Posts: 4247
si wrote: ›kiwi: nevidim dovod preco by mala masina lahnut ak by na nej bolo 600 takychto pravidiel... zrovna 600 PC priamo za jednou masinou nemam, ale nepriamo za hlavnym routerom ich je mozno aj o kusok viac, pre kazde PC je zvlast pravidlo pre in a zvlast pre out a v pohode to ten router stiha (a to tam robim este aj ine zveriny z tych iptables)


detto, mam na P3/733 asi tisic pravidiel v jednom aj druhmo smere (ale len na IP), okrem toho to robi ale aj layer7 filter - a pohoda klidek leharo.. mac/ip filter mam rieseny na routeroch pri klientoch, tam je to tak do 100 zaznamov na 200mhz strojoch (w4k) a load brutalnych 0.00...
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
airbilly
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 23:33 #44748
Guru


Joined: Mar 13, 2005
Posts: 1867
Location: Nitra
pixall wrote: › 100 zaznamov na 200mhz strojoch (w4k) a load brutalnych 0.00...

Na wifi sietach to nema zmysel, staci dat zariadenie do modu wisp, zakaznikovi tam nedat pristup a netreba riestit ziadny mac/ip filter. Jednoducho si tu ip nezmenia.
 
 View user's profile Send private message Send e-mail Visit poster's website MSN Messenger ICQ Number 
Reply with quote Back to top
magnum
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 22.01.2007 - 23:52 #44749
Basic


Joined: Okt 12, 2003
Posts: 354
tiez ma to dost prekvapilo co kiwi pise - hlavne ze ho beriem ako odbornika a co napise to plati ale s tymto mam uplne ine skusenosti... static arp riesit na sieti s >600 uzivatelmi je ciste sialenstvo (aj ked ak to ma clovek zoscriptovane...)...

ale zas ak by som mal pri tolkom traffic-u sledovat este aj vsetky ip a arp tak by mi aj oci na cerveno svietili... na tak vytazenych routroch uz riesim maximalne QoS podla par portov a par VIP IP...
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
kiwi
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 23.01.2007 - 06:59 #44751
Guru


Joined: Jan 30, 2003
Posts: 1572
samozrejme static arp cucia data z dhcp.conf

naozaj si budte isti, ze pri tolkom pocte packetov, ked to ma masina preosiat na tych iptables, tak ide do kolien

dokonca aj pri layer 7 filtrovani (ina masina) p2p packetov som zazil to, ze masina sa zakusla (moze ale byt ze v tomto pripade pravidlo nebolo postavene idealne)
 
 View user's profile Send private message Send e-mail Visit poster's website ICQ Number 
Reply with quote Back to top
pixall
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 24.01.2007 - 03:13 #44791
Majster


Joined: Okt 21, 2003
Posts: 4247
airbilly wrote: ›
pixall wrote: › 100 zaznamov na 200mhz strojoch (w4k) a load brutalnych 0.00...

Na wifi sietach to nema zmysel, staci dat zariadenie do modu wisp, zakaznikovi tam nedat pristup a netreba riestit ziadny mac/ip filter. Jednoducho si tu ip nezmenia.


a co pripad ked si kliento odpoji zariadenie a nahodi svoje? pripadne co rovno votrelec?
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
icerowicz
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 24.01.2007 - 08:32 #44794
Ucen


Joined: Apr 12, 2006
Posts: 930
Location: Vranov nad Topľou
pixall, presne tak. Nehovoriac o tom,ze 30% mojich klientov ma pci karty, ktore si bezne menia ( pretoze ja nebazirujem na aktivacnom poplatku a zariadeni od nas ). Jednoducho, vymeni kartu a je to v prdely.Bez tejto kontroly ip/mac si par zakaznikov svojvolne meni ip adresu, pretoze zistili, ze niektore ip maju vyssiu rychlost pripadne garant a potom sa mi stane, ze firma, ktora robi transfer 100mb denne, tantaha cez noc 10Gb.

Moja predstava je jednoducha. IP/MAC + DHCP Relay = spustanie pravidla vo firewalle na routing. Takze musi sediet ip/mac a este k tomu prebehnut aj DHCP relay. Pokial to vsetko sedi, tak je dovoleny prerouting na dalsi eth, pokial nesedi ip/mac v /etc/ethers , tak ani nenapinga gateway, pokial neprebehne DHCP Relay, tak ho nepusti von vystup z routera.

Nehovoriac o tom, ze v pripade ap ( napr ovis 5460, ktorych tam mam habadej ) je vyhoda este jedna. v /etc/ethers musi byt MAC AP, v /etc/dhcp3/dhcp.conf musi byt MAC adresa sietovej karty, aby tu IP dhcp pridelil. Myslim, ze pre votrelca bude dost zlozite napojit sa tam.

Vcera sa mi stlao, ze zakaznik mal pridelenu ip,na comp nahodil si svojvolne na APCKO switch, pripojil si notebook a dal si na neho ip o jednu vyssiu ako mal na compe. A konflikt v sieti bol na svete Smile
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
si
Post subject: RE: Kontrola mac vs ip adresa  PostPosted: 24.01.2007 - 09:59 #44797
Majster


Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
icerowicz: nemusis mat obavy, vzdy sa najde moznost ako ti tam vliezt Smile druha vec je ci to stoji za tu namahu Smile
 
 View user's profile Send private message Send e-mail Visit poster's website  
Reply with quote Back to top
Display posts from previous:     
All times are GMT
Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Page 1 of 3 123 >
Jump to:  

SKFREE Forum Index » SKFree Network » Software
Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits

(C) SKFree 2002-2010: Powered by POSTNUKE. Môžete prebera? naše správy vo formáte XML(RSS)