Ipguard package
-
request +ipguard Packages about arp
http://deeperm.org/ipguard/
thanksyes we need that package please include that package
can admin reply to us we need this package to prevent disabled user from accessing network if they change their ips
-
yes we need that package please include that package
I can do this package, it's not that complex and built in freebsd ftp archive.
-
First ipguard-dev release done.
Please, test and feedback.
Do not forget to create rules allowing access to pfsense's ip address ;)att,
Marcello Coutinho -
First ipguard-dev release done.
Please, test and feedback.
Do not forget to create rules allowing access to pfsense's ip address ;)att,
Marcello Coutinhothanks a lot this is what i want but i don't understand what rule should i create for accessing pfsense sorry i'm newbie
-
Mac adresses and ip rules on package gui for your machine /network and pfsense
I'll try to screenshot a sample config. -
Mac adresses and ip rules on package gui for your machine /network and pfsense
I'll try to screenshot a sample config.i don't find words to thank you for your fast response and i'm waiting your explanation
-
This is the sample file with comments that came with ipguard:
00:d0:b7:df:ee:4a 192.168.1.100 Third column is a comment
00:d0:b7:16:0b:f9 192.168.1.64
00:d0:b7:16:0b:f9 192.168.1.66 There can be more than one IP
00:00:21:e9:fe:9a 192.168.2.56
00:08:c7:eb:22:6c 192.168.2.56 Also more than one MAC
192.168.16.147 00:04:76:18:a0:b9 Order doesn't matter
00:00:00:00:00:00 192.168.50.163 Zero MAC == any MAC
00:0d:61:76:ef:eb 0.0.0.0 Zero IP == any IP
00:02:b3:60:50:9c 127.0.0.1 Known wrong IP == MAC blocked
00:0f:5b:83:30:0a host.domain.tld Hostnames resolved
00:00:00:00:00:00 192.168.4.0/24 Allow subnet
de:ad:be:ef:12:34 192.168.0.0/16 Block all other subnets00:0c:6e:a0:f6:6d 192.168.1.254 Comment
-
today i'm so happy realy thank you " maro "
-
can you make any thing made the user who connect first is a live and connected and the second who isn't allowed and change his mac address to live one to be disconnected i need that cause when i disable some users the change their mac address to a live one
-
Sorry buto if a user clones the mac and the ip address, I have no idea how ipguard could detect it.
You will need to include this security check on switch too.
-
This is like the DHCP server feature:
Deny unknown clients
If this is checked, only the clients defined below will get DHCP leases from this server.and
Enable Static ARP entries
Note: Only the machines listed below will be able to communicate with the firewall on this NIC.Although i have no idea what's the difference between the two features ???
-
Although i have no idea what's the difference between the two features ???
The diference is that you can create acls for multiple matches or restrict arp check only for servers ips for example.
-
I see. But if the OP's requirements is just to prevent users from accessing the network even if they change their IPs, are the features of the DHCP not enough for that as what i posted before, especially this: Enable Static ARP entries? If no, then i need to install this package. ;D
-
Just had a play with this and posted a pull request for a few code tidy/fix-ups - @marcelloc, have a look.
- I assume that all wireless is secured by good passwords/keys - so only authorised users connect to your wireless, and that all your authorised users (on wireless and cabled) have hardware and network configs that are under your control (or you really do trust them not to hack) - e.g. they are all getting DHCP from your pfSense and maybe are even given static IPs based on their MAC address.
Now, if someone carries in a box of their own, plugs it onto your network (attaches a cable to a spare wall socket…) then they can make their box be any MAC address and any IP address. The DHCP server will never get asked for an address.
If they just pick an unused IP address in your subnet, then ipguard will make life hell for them.
If they try to pretend to be one of your devices by just setting their IP to match one of yours then ipguard will also give them hell - but they might also cause some annoyance to the real device until they are tracked down and removed.
If they set their MAC address and IP address to match your real device, then nothing on an ordinary switched LAN can tell the difference.
To fix that, you need managed switches that know which MAC address is allowed to be on the end of each port. And obviously physically secure the ports of things you care about - otherwise someone walks into an unattended office, unplugs some critical device, plugs in their own and imitates it. Yes - in places that want high security, this is done for every switch port, unused ones are disables, every time someone moves a device to another room they have to patch it through to the same switch port or get the switch config changed.
In the end, you have to first have physical security.
-
I've gotta be doing something wrong… I can't seem to get Ipguard working for what I want. This is what is in my /usr/local/etc/ipguard_lan.conf
00:e0:52:c2:e0:c4 192.168.5.1 pfsense LAN interface
00:25:ae:28:38:a9 192.168.5.200 XBox-Wired
00:0d:4b:bd:d1:61 192.168.5.201 roku-basement
00:0d:4b:df:c1:3d 192.168.5.202 roku-den
cc:6d:a0:1f:a5:11 192.168.5.203 roku-family-rm
00:0d:4b:e8:1e:59 192.168.5.204 roku-master-bdrm
00:13:72:98:dc:2b 192.168.5.205 rjc-nas
00:22:58:7b:85:97 192.168.5.206 Brother-MFC-J430W
00:00:00:00:00:00 192.168.5.0/24 lan netI'm trying to set it up so that no MAC other than those listed above can use the 200-207 IP addresses on my network and get out to the internet - but to no avail. I can set my laptop to 206 address (Brother-MFC-J430W listed above) and it seems to have no affect whatsoever. I can browse the internet, etc. What am I doing wrong?
Additional info about my setup... I'm using Squid and Dansguardian. The reason I'm trying to stop other MAC's from taking the 200-207 addresses is that 192.168.5.200/29 is allowed out without going through Dans (I have firewall rules that block all other addresses from hitting the internet directly).
Thanks for any help!
-
I really liked the idea on this package.. but somehow, even if I add the mac-ip pairs, still ipguard gives the machine a de:ad mac address.. lotsa flipflops..
any idea on this matter? is there any configuration should i worried about? oh im
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.249 f4:6d:4:6d:ff:c3 (de:ad:96:87:d0:9e)
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.215 de:ad:36:87:f7:6c (de:ad:96:87:d0:9e)
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.33 de:ad:36:87:f7:6c (de:ad:96:87:d0:9e)
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.215 de:ad:96:87:d0:9e (de:ad:36:87:f7:6c)
Aug 29 20:47:34 isfw arpwatch: reused old ethernet address 192.168.100.215 50:e5:49:a6:c9:64 (de:ad:96:87:d0:9e)
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.215 de:ad:36:87:f7:6c (de:ad:96:87:d0:9e)
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.33 de:ad:36:87:f7:6c (de:ad:96:87:d0:9e)
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.215 de:ad:96:87:d0:9e (de:ad:36:87:f7:6c)
Aug 29 20:47:34 isfw arpwatch: reused old ethernet address 192.168.100.215 50:e5:49:a6:c9:64 (de:ad:96:87:d0:9e)
Aug 29 20:47:34 isfw arpwatch: reused old ethernet address 192.168.100.249 de:ad:36:87:f7:6c (f4:6d:4:6d:ff:c3)
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.249 f4:6d:4:6d:ff:c3 (de:ad:36:87:f7:6c)
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.215 de:ad:96:87:d0:9e (50:e5:49:a6:c9:64)
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.215 50:e5:49:a6:c9:64 (de:ad:96:87:d0:9e)
Aug 29 20:47:34 isfw arpwatch: flip flop 192.168.100.38 de:ad:96:87:d0:9e (de:ad:36:87:f7:6c) -
For the flipflops, I have a systen with wireless bridges that mess with MAC addresses (ARP-NAT?) I see this on wireless clients hopping from one bridge to another. Are you running anything like that?
-
i dont have any wireless on my network, flipflops only appear when i turn ipguard to ON. dont know why it didnt recognize the mac-ip pairs defined on the ether file.
-
I've gotta be doing something wrong… I can't seem to get Ipguard working for what I want. This is what is in my /usr/local/etc/ipguard_lan.conf
00:e0:52:c2:e0:c4 192.168.5.1 pfsense LAN interface
00:25:ae:28:38:a9 192.168.5.200 XBox-Wired
00:0d:4b:bd:d1:61 192.168.5.201 roku-basement
00:0d:4b:df:c1:3d 192.168.5.202 roku-den
cc:6d:a0:1f:a5:11 192.168.5.203 roku-family-rm
00:0d:4b:e8:1e:59 192.168.5.204 roku-master-bdrm
00:13:72:98:dc:2b 192.168.5.205 rjc-nas
00:22:58:7b:85:97 192.168.5.206 Brother-MFC-J430W
00:00:00:00:00:00 192.168.5.0/24 lan netI'm trying to set it up so that no MAC other than those listed above can use the 200-207 IP addresses on my network and get out to the internet - but to no avail. I can set my laptop to 206 address (Brother-MFC-J430W listed above) and it seems to have no affect whatsoever. I can browse the internet, etc. What am I doing wrong?
Additional info about my setup... I'm using Squid and Dansguardian. The reason I'm trying to stop other MAC's from taking the 200-207 addresses is that 192.168.5.200/29 is allowed out without going through Dans (I have firewall rules that block all other addresses from hitting the internet directly).
Thanks for any help!
I ended up solving my problem by writing a little shell script that executes tcpdump looking for packets with sources range 192.168.5.200/29. It then compares the MAC address on each packet to a list of valid MAC/IP pairs. If a mismatch is found, it shuts down the WAN interface (assumption being a rogue MAC has taken one of my unfiltered IP addresses)! A little draconian, but effective. Added a startup/shutdown script for it and it accomplishes what I want…
However - I thought I could accomplish the same thing with ipguard... can anyone tell me? Thanks!
-
Bump…
Not a big deal because I got it working with the tcpdump shell script, but I'm still wondering if my use case was valid for ipguard? i.e. should I be able to make ipguard work to block invalid mac/ip combos from accessing the internet?
Anyone? Thanks...
-
try to reduce your network range on your allow list and move pfsense ip to 254 for example.
00:e0:52:c2:e0:c4 192.168.5.254 pfsense LAN interface
.
.
.
00:00:00:00:00:00 192.168.5.0/25 lan net -
OK… seems like I tried that, but I will play around with it some more... Before I do though, I just want to confirm. What I'm trying to do is what ipguard was intended to accomplish? i.e. make sure that ip/mac combinations (or ranges) are valid and keep invalid combos from accessing network resources?
Also (again I'll play more to confirm) I turned on the verbose logging and from what I could tell, it appeared that ipguard was catching the invalid mac/ip combination and returning the bogus mac address on the ARP request/reply. However, everything still worked for the IP address involved. It shouldn't... correct?
Thanks again...
-
On my tests, it was easier to lost access to pfsense then full access.
Maybe your 00:00:00:00:00:00 192.168.5.0/24 ipguard lan net rule permits all lan access.
-
This package seems to not work correctly with: 2.1-BETA0 (amd64).
After installing the package there is no addition of Ipguard to the services drop down menu.
-
It's on firewall menu ;)
I'm not sure if I tested it's dirs and pbi install on 2.1
-
I have ipguard-dev installed on 2.1-BETA0. It puts a link to its exe into /usr/local/sbin, so the package startup code works fine as is.
[2.1-BETA0][root@pfsense.localdomain]/(8): ls -l /usr/local/sbin/ipguard lrwxr-xr-x 1 root wheel 35 Oct 8 19:06 /usr/local/sbin/ipguard -> /usr/pbi/ipguard-i386/.sbin/ipguard
The 2.1, FreeBSD 8.3, pbi-based package version is working.
-
I'll include pfsense 2.1 folder check as soon as possible…
-
@marcelloc - I don't think any folder/version checks are needed. The PBI installation puts the link to the exe in /usr/local/sbin already - so running /usr/local/sbin/ipguard works on 2.1. The conf file goes in /usr/local/etc fine. I think it all works out of the same folders in 2.0.1 and 2.1.
-
I think it all works out of the same folders in 2.0.1 and 2.1.
good! Thank's for the info. :)
-
i installed ipguard on pfsense 2.01 32bit, when i click on the start button in the Services menu it just doesnt start. There is a message saying it started but in the menu it keeps being stopped. Is there a way to start it manually (command line) or see the logs for when a service start?
-
Check your config first and save settings. Then go to console and check if its running with "PS ax "
-
nope not running
EDIT:I accessed pfsense in ssh and when I try to launch ip guard it says this:
/libexec/ld-elf.so.1: Shared object "libpcap.so.1" not found, required by "ipguard"
-
what version of pfsense are you running?
-
2.0.1-RELEASE (i386)
i fixed this issue by installing snort, which installed the missing dependencies but now i've got another problem
in /var/log/ipguard_fxp0.log i get:
error pcap_open_live(): fxp0: No such device exists (BIOCSETIF failed: Device not configured) -
I've tested this package without snort without issues, I'll try it again on virtual lab.
-
Hey there guys,
Here's the problem I'm running into and I'm hoping ipguard can turn the trick….
I have a wifi client who for whatever reason is always trying to set a static IP that conflicts with an ip address in my static range, which causes temporary problems from time to time.
I'd like to make sure that these addresses are not in conflict in situations like this. Since my static devices are all known and well documented, would the correct approach be to enter them all in ipguard, thereby (hopefully, I think?) ensuring that no other mac address can inadvertently obtain access to my LAN (wifi) using a reserved, static ip?
???
-
Sure, ipguard can help.
Did you tried static mapping on pfSense dhcp+ Deny unknown clients?
-
Surge, ipguard can help.
Did you tried static mapping on pfSense dhcp+ Deny unknown clients?
No, and here's why: I run a WISP and I don't want to deny unknown clients. They can sign up online thru the captive portal and that's $$ ;D
However, I did try mapping it to an IP address, but pfSense tells me that I can't do that inside of the dynamic IP range….. which seems silly, actually.
-
Dear marcelloc,
i did download the ipguard last week and installed it on my pfsense 2.0.1 (amd64)
however, the services didnt run even i tried to start it manually
then a few days later i remove it back because i thought there was an error while it was installed
somehow, i cant find it again from the "packages" list, did you remove it?
how can i use this good features? im ran a wisp as well and i hope that i dont need to deny unknown clients ;)
waiting for your kind replythanks
cleancodex -
cleancodex,
check on installed packages tab, I did not removed the service.
There is a depedencie that is not included on this package yet.
you need to install libcap first. You can do this using pkg_add from freebsd repo or installing snort package before ipguard.
I'll try to fix it as soon as possible.