|
楼主 |
发表于 2006-5-9 11:17:27
|
显示全部楼层
原帖由 wuxj 于 2006-5-8 11:13 发表
与外网的方法一样,用arp -s ip mac
在网吧客户机上绑吗? 行不行哦!
真希望上面的东东可以直接敲到mono里面去
16.6. Does m0n0wall support MAC address filtering?
Short answer: Not yet. (i.e. you cannot specify MAC addresses in firewall rules)
Long answer: There are several "hacks" you may be able to use to achieve the desired end result.
Note
There is no bulletproof method of access control by MAC address. Keep in mind that MAC addresses are easy to change and spoof.
16.6.1. Using Captive Portal and MAC pass-through
You can utilize Captive Portal and its MAC pass-through functionality for rudimentary MAC address restrictions.
Enable Captive Portal on the desired interface (e.g. LAN) at the Services -> Captive Portal screen. Create a HTML page of your liking that does not include the submit button so the user cannot authenticate with the captive portal. Other settings can all be left at their defaults.
Click the "Pass-through MAC" tab on the Captive Portal screen. Click the + to start adding permitted MAC addresses. In the MAC address box, type in the six hex octets separated by colons (e.g. ab:cd:ef:12:34:56), optionally (but recommended) enter a description, and click Save. Repeat for every authorized host on your network.
16.6.2. Using DHCP reservations and firewall rules
First, set up your DHCP scope. At the bottom of the Services -> DHCP screen, add every authorized MAC address on your network, and check the "Deny unknown clients" box. This will prevent an unauthorized machine from getting an IP address from DHCP.
16.6.3. Using Static ARP
You can ensure certain MAC addresses can only use a certain IP by using static ARP.
To add a static ARP entry, use /exec.php to run the arp command.
arp -s 192.168.1.11 ab:cd:ef:12:34:56
To verify this addition, run 'arp -a' in exec.php and you'll see the following in the list.
? (192.168.1.11) at ab:cd:ef:12:34:56 on sis2 [ethernet]
This change will not survive a reboot. You need to put the arp -s command in your config.xml in . See this FAQ entry for more information on hidden config.xml options
好像是可以敲进去的 不过我英文不是很好 一个是不知道在那里敲 第二它怎么也是内网ip?
[ 本帖最后由 daobiao 于 2006-5-9 11:34 编辑 ] |
|