Le lun 11/08/2003 à 15:48, Ramin Dousti a écrit : > Absolutely. But let's back off a bit and take a look at the picture as a whole. > We're talking about the internal users here. If someone is so ambisious to do > what you said, be sure they can do even more harm to you. Without any doubt. This is a paranoid mesure to prevent mighty lusers or big evil 3lle7 crackers who managed to get into the LAN to mess around ;) > Besides, are you going to implement this at every single router on any > LAN segment you have internally? Or is this solution meant for VSOHO? Well, I do not think implementing a static ARP cache on the Linux NAT box will be more a burden than doing almost the same using iptables with mac match (as far as I understand what OP wants). I mean once you have done this for one purpose (e.g. DHCP MAC based assignement), there's not much left to do to generate a /etc/ethers like file for filling ARP cache or generate a basic iptables ruleset. > But, your point taken :-) Was just for info and discussion, not for contradiction. Most of the time, DHCP assignement as you told before is far sufficient to provide an acceptable way to associate MAC and IP. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
