From owner-freebsd-questions@FreeBSD.ORG Tue Jul 26 13:05:47 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C78C31065670 for ; Tue, 26 Jul 2011 13:05:47 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 518568FC1B for ; Tue, 26 Jul 2011 13:05:46 +0000 (UTC) Received: by wyg24 with SMTP id 24so174878wyg.13 for ; Tue, 26 Jul 2011 06:05:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ruNcEYIr7ubKYvf0xoSy5ARrxYW/g6/LPRQdjsHya1o=; b=UzuDsdEdE2E4eBaIYeMrEMylD46jepTj5zm7U5hfNU3Y8c2FRPyl2NLjoXPglKSqsO DhbSNf3V+b+oNe0lInd1QBNxw2mVJLDMklbkt1mNn9DkyckhvFpZlqhVE9E1NyYA+Raf iHlk+Q2obF2DnpM1jbG5TblrhzarMgCl0xfao= MIME-Version: 1.0 Received: by 10.227.11.204 with SMTP id u12mr4945437wbu.8.1311685546142; Tue, 26 Jul 2011 06:05:46 -0700 (PDT) Received: by 10.227.146.138 with HTTP; Tue, 26 Jul 2011 06:05:46 -0700 (PDT) In-Reply-To: <4E2EB9C3.7060506@infracaninophile.co.uk> References: <39BA5203083441F49B797E0E12C7B03D@desktop2002> <4E2EB9C3.7060506@infracaninophile.co.uk> Date: Tue, 26 Jul 2011 15:05:46 +0200 Message-ID: From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= To: FreeBSD Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: How to deny getting static ip address via pf ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2011 13:05:47 -0000 2011/7/26 Matthew Seaman > On 26/07/2011 11:44, Yavuz Ma=FElak wrote: > > I use pf on freebsd as packet filter. > > > > I have a wireless area. The users get to the internet using automatic i= p > > from the dhcp server. > > I wish to deny to assign a static ip address by manual. > > > > How can I do that with pf or ipfw or another thing? > > Interesting problem. Do you control the DHCP server and is it running > ISC dhcpd? If so, you can parse the dhcpd.leases file to find all of > the addresses the DHCP server has allocated. Then you could create > firewall rules that default to blocking the DHCP address range, but are > overridden to allow the allocated addresses. The table feature in pf > would be a good way of implementing something like that. (I think ipfw > has an equivalent feature nowadays too.) > > It's not going to be pretty, and you'll need to update the table of > allowed addresses quite frequently, or legitimate users will find > themselves locked out of internet access. Also it won't stop someone > who has hijacked an IP from someone else's lease. > > Wondering why your users would prefer manually setting addresses rather > than using DHCP, since using DHCP takes away virtually all the effort > involved? If it's because almost all the addresses are already assigned > to leases and it takes ages to get on-line, then two courses of action > suggest themselves: > > 1) Serve a larger address range through DHCP and/or make the lease > times shorter. Assuming you're behind a NAT gateway, this > shouldn't be particularly hard to set up. > > 2) Look at the 'adaptive-lease-time-threshold' setting in dhcpd.conf > -- this says to dynamically shorten lease times once address pool > usage goes above a threshold percentage. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW > > Hi, I would run a perl program as a daemon that would parse the dhcp logs for given IPs, then I would load those IPs to a PF table, which that way could contain the trusted hosts, which you would then pass packets from and to. This could work IMHO. But this aproach to the problem can contain serious flaws... Best Regards, Balazs.