The pfSense Store

Author Topic: ipguard package  (Read 14781 times)

0 Members and 1 Guest are viewing this topic.

Offline mohandshamada

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
ipguard package
« on: May 21, 2012, 06:16:34 pm »
request +ipguard Packages about arp

http://deeperm.org/ipguard/
thanks

yes we need that package please include that package

 can admin reply to us we need this package to prevent disabled user from accessing network if they change their ips

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
ipguard package
« Reply #1 on: May 21, 2012, 10:27:13 pm »
yes we need that package please include that package

I can do this package, it's not that complex and built in freebsd ftp archive.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
ipguard package
« Reply #2 on: May 22, 2012, 12:48:11 am »
First ipguard-dev release done.

Please, test and feedback.
Do not forget to create rules allowing access to pfsense's ip address  ;)

att,
Marcello Coutinho
« Last Edit: May 22, 2012, 12:52:20 am by marcelloc »

Offline mohandshamada

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
ipguard package
« Reply #3 on: May 29, 2012, 07:31:04 am »
First ipguard-dev release done.

Please, test and feedback.
Do not forget to create rules allowing access to pfsense's ip address  ;)

att,
Marcello Coutinho
thanks a lot this is what i want but i don't understand what rule should i create for accessing pfsense sorry i'm newbie

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: ipguard package
« Reply #4 on: May 29, 2012, 08:14:26 am »
Mac adresses and ip rules on package gui for your machine /network and pfsense
I'll try to screenshot a sample config.

Offline mohandshamada

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: ipguard package
« Reply #5 on: May 29, 2012, 08:38:27 am »
Mac adresses and ip rules on package gui for your machine /network and pfsense
I'll try to screenshot a sample config.
i don't find words to thank you for your fast response and i'm waiting your explanation

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: ipguard package
« Reply #6 on: May 29, 2012, 09:33:49 am »
This is the sample file with comments that came with ipguard:

00:d0:b7:df:ee:4a       192.168.1.100           Third column is a comment
00:d0:b7:16:0b:f9       192.168.1.64
00:d0:b7:16:0b:f9       192.168.1.66            There can be more than one IP
00:00:21:e9:fe:9a       192.168.2.56
00:08:c7:eb:22:6c       192.168.2.56            Also more than one MAC
192.168.16.147          00:04:76:18:a0:b9       Order doesn't matter
00:00:00:00:00:00       192.168.50.163          Zero MAC == any MAC
00:0d:61:76:ef:eb       0.0.0.0                 Zero IP == any IP
00:02:b3:60:50:9c       127.0.0.1               Known wrong IP == MAC blocked
00:0f:5b:83:30:0a       host.domain.tld         Hostnames resolved
00:00:00:00:00:00       192.168.4.0/24          Allow subnet
de:ad:be:ef:12:34       192.168.0.0/16          Block all other subnets
# 00:0c:6e:a0:f6:6d       192.168.1.254         Comment

« Last Edit: May 29, 2012, 09:39:06 am by marcelloc »

Offline mohandshamada

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: ipguard package
« Reply #7 on: May 29, 2012, 06:58:27 pm »
today i'm so happy realy thank you " maro "

Offline mohandshamada

  • Newbie
  • *
  • Posts: 22
  • Karma: +0/-0
    • View Profile
Re: ipguard package
« Reply #8 on: May 31, 2012, 01:26:26 pm »
can you make any thing made the user who connect first is a live and connected and the second who isn't allowed and change his mac address to live one to be disconnected i need that cause when i disable some users the change their mac address to a live one

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: ipguard package
« Reply #9 on: May 31, 2012, 01:36:21 pm »
Sorry buto if a user clones the mac and the ip address, I have no idea how ipguard could detect it.

You will need to include this security check on switch too.

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
Re: ipguard package
« Reply #10 on: June 11, 2012, 01:27:24 am »
This is like the DHCP server feature:

Deny unknown clients
If this is checked, only the clients defined below will get DHCP leases from this server.

and

Enable Static ARP entries
Note: Only the machines listed below will be able to communicate with the firewall on this NIC.


Although i have no idea what's the difference between the two features ???

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: ipguard package
« Reply #11 on: June 11, 2012, 08:48:35 am »
Although i have no idea what's the difference between the two features ???

The diference is that you can create acls for multiple matches or restrict arp check only for servers ips for example.


Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
  • Karma: +0/-0
    • View Profile
Re: ipguard package
« Reply #12 on: June 11, 2012, 10:23:46 am »
I see. But if the OP's requirements is just to prevent users from accessing the network even if they change their IPs, are the features of the DHCP not enough for that as what i posted before, especially this: Enable Static ARP entries? If no, then i need to install this package.  ;D


Offline phil.davis

  • Hero Member
  • *****
  • Posts: 2373
  • Karma: +10/-0
    • View Profile
    • International Nepal Fellowship
Re: ipguard package
« Reply #13 on: August 22, 2012, 04:41:44 am »
Just had a play with this and posted a pull request for a few code tidy/fix-ups - @marcelloc, have a look.

@jikjik101 -
1) I assume that all wireless is secured by good passwords/keys - so only authorised users connect to your wireless, and that all your authorised users (on wireless and cabled) have hardware and network configs that are under your control (or you really do trust them not to hack) - e.g. they are all getting DHCP from your pfSense and maybe are even given static IPs based on their MAC address.

Now, if someone carries in a box of their own, plugs it onto your network (attaches a cable to a spare wall socket...) then they can make their box be any MAC address and any IP address. The DHCP server will never get asked for an address.

If they just pick an unused IP address in your subnet, then ipguard will make life hell for them.

If they try to pretend to be one of your devices by just setting their IP to match one of yours then ipguard will also give them hell - but they might also cause some annoyance to the real device until they are tracked down and removed.

If they set their MAC address and IP address to match your real device, then nothing on an ordinary switched LAN can tell the difference.

To fix that, you need managed switches that know which MAC address is allowed to be on the end of each port. And obviously physically secure the ports of things you care about - otherwise someone walks into an unattended office, unplugs some critical device, plugs in their own and imitates it. Yes - in places that want high security, this is done for every switch port, unused ones are disables, every time someone moves a device to another room they have to patch it through to the same switch port or get the switch config changed.

In the end, you have to first have physical security.
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

Offline rjcrowder

  • Sr. Member
  • ****
  • Posts: 430
  • Karma: +1/-0
    • View Profile
Re: ipguard package
« Reply #14 on: August 27, 2012, 08:07:17 pm »
I've gotta be doing something wrong... I can't seem to get Ipguard working for what I want. This is what is in my /usr/local/etc/ipguard_lan.conf

00:e0:52:c2:e0:c4 192.168.5.1 pfsense LAN interface
00:25:ae:28:38:a9 192.168.5.200 XBox-Wired
00:0d:4b:bd:d1:61 192.168.5.201 roku-basement
00:0d:4b:df:c1:3d 192.168.5.202 roku-den
cc:6d:a0:1f:a5:11 192.168.5.203 roku-family-rm
00:0d:4b:e8:1e:59 192.168.5.204 roku-master-bdrm
00:13:72:98:dc:2b 192.168.5.205 rjc-nas
00:22:58:7b:85:97 192.168.5.206 Brother-MFC-J430W
00:00:00:00:00:00 192.168.5.0/24 lan net

I'm trying to set it up so that no MAC other than those listed above can use the 200-207 IP addresses on my network and get out to the internet - but to no avail. I can set my laptop to 206 address (Brother-MFC-J430W listed above) and it seems to have no affect whatsoever. I can browse the internet, etc. What am I doing wrong?

Additional info about my setup... I'm using Squid and Dansguardian. The reason I'm trying to stop other MAC's from taking the 200-207 addresses is that 192.168.5.200/29 is allowed out without going through Dans (I have firewall rules that block all other addresses from hitting the internet directly).

Thanks for any help!