Can I limit number device connections on an Ethernet port?

bajangerry · 09-16-2011, 10:16 AM

Hi Guys,
I am wondering if there is a way for me to limit the number of devices I can have connected to my Ethernet port. My understanding of networking is that my Linux server has to learn MAC address using ARP so I am hoping that I can somehow control the number it learns or stop it from learning any more after 5 for instance.
If that is not an option could I possibly prevent the server from communicating with more than 5 devices? maybe somehow allow communication with the first 5 devices that connect and ignore any new ones?

Thanks for any input.

Gerry

tommylovell · 09-16-2011, 08:27 PM

Quote:

Originally Posted by bajangerry

Hi Guys,
I am wondering if there is a way for me to limit the number of devices I can have connected to my Ethernet port.

The devices are not really connecting to your ethernet port. Client machines are connecting with an application running on your system. (Connections are tcp, but there is connectionless communication as well with udp.)

Quote:

My understanding of networking is that my Linux server has to learn MAC address using ARP

That's true, but you only arp to send a packet to a device that is directly connected to your subnet. (That would include your router, too)

Quote:

...so I am hoping that I can somehow control the number it learns or stop it from learning any more after 5 for instance.

You're talking about making a fundamental change to the tcp/ip stack, 'cause I don't think there is any way to do this now.
But even if you could that wouldn't have the effect that you are looking for. If your connections are coming in through a router, they all have the same mac address. So, if your traffic is coming in from another subnet, you could have a very high number of concurrent connections all "funneling" through the one router interface, i.e. mac address.

Quote:

If that is not an option could I possibly prevent the server from communicating with more than 5 devices? maybe somehow allow communication with the first 5 devices that connect and ignore any new ones?

Yes, but that would have to be implemented within the application.

Maybe there's a way to limit connections with ip tables. If there are no other responses to this post, perhaps you could post a new question asking if the number of connections to an application can be controlled via ip tables.

jefro · 09-16-2011, 08:36 PM

You can use static arp and block or deny any dynamic arp numbers.

tommylovell · 09-16-2011, 09:18 PM

Quote:

Originally Posted by jefro

You can use static arp and block or deny any dynamic arp numbers.

And right you are.

From http://linux-ip.net/html/ether-arp.html

Quote:

2.1.3. ARP Suppression

Complete ARP suppression is not difficult at all. ARP suppression can be accomplished under linux on a per-interface basis by setting the noarp flag on any Ethernet interface. Disabling ARP will require static neighbor table mappings for all hosts wishing to exchange packets across the Ethernet.

To suppress ARP on an interface simply use ip link set dev $DEV arp off as in Example B.7, “Using ip link set to change device flags” or ifconfig $DEV -arp as in Example C.5, “Setting interface flags with ifconfig”. Complete ARP suppression will prevent the host from sending any ARP requests or responding with any ARP replies.

But this would require static definitions for the systems that would be permitted to connect.

What wasn't stated in the original post is why the OP wants to do this.

baldy3105 · 09-17-2011, 11:06 AM

One has to ask why you would bother. Unless you have some ultra critical security concern, but even that wouldn't benefit you much because anyone who knows what they are doing can spoof MAC's.

jefro · 09-17-2011, 04:32 PM

You could make some script to monitor arp cache and then copy mac to some file then apply a rule.