Date: Tue, 26 Jul 2011 15:05:46 +0200 From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= <repcsike@gmail.com> To: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: How to deny getting static ip address via pf ? Message-ID: <CAGUELt8D7v8sqHdRCO51pAwVssM%2B5=A9tB526gAbmvq1BGdmyA@mail.gmail.com> In-Reply-To: <4E2EB9C3.7060506@infracaninophile.co.uk> References: <39BA5203083441F49B797E0E12C7B03D@desktop2002> <4E2EB9C3.7060506@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
2011/7/26 Matthew Seaman <m.seaman@infracaninophile.co.uk> > On 26/07/2011 11:44, Yavuz Ma=FElak wrote: > > I use pf on freebsd as packet filter. > > > > I have a wireless area. The users get to the internet using automatic i= p > > from the dhcp server. > > I wish to deny to assign a static ip address by manual. > > > > How can I do that with pf or ipfw or another thing? > > Interesting problem. Do you control the DHCP server and is it running > ISC dhcpd? If so, you can parse the dhcpd.leases file to find all of > the addresses the DHCP server has allocated. Then you could create > firewall rules that default to blocking the DHCP address range, but are > overridden to allow the allocated addresses. The table feature in pf > would be a good way of implementing something like that. (I think ipfw > has an equivalent feature nowadays too.) > > It's not going to be pretty, and you'll need to update the table of > allowed addresses quite frequently, or legitimate users will find > themselves locked out of internet access. Also it won't stop someone > who has hijacked an IP from someone else's lease. > > Wondering why your users would prefer manually setting addresses rather > than using DHCP, since using DHCP takes away virtually all the effort > involved? If it's because almost all the addresses are already assigned > to leases and it takes ages to get on-line, then two courses of action > suggest themselves: > > 1) Serve a larger address range through DHCP and/or make the lease > times shorter. Assuming you're behind a NAT gateway, this > shouldn't be particularly hard to set up. > > 2) Look at the 'adaptive-lease-time-threshold' setting in dhcpd.conf > -- this says to dynamically shorten lease times once address pool > usage goes above a threshold percentage. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW > > Hi, I would run a perl program as a daemon that would parse the dhcp logs for given IPs, then I would load those IPs to a PF table, which that way could contain the trusted hosts, which you would then pass packets from and to. This could work IMHO. But this aproach to the problem can contain serious flaws... Best Regards, Balazs.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGUELt8D7v8sqHdRCO51pAwVssM%2B5=A9tB526gAbmvq1BGdmyA>