From owner-freebsd-isp Wed Sep 29 14:47:30 1999 Delivered-To: freebsd-isp@freebsd.org Received: from cliff.i-plus.net (cliff.i-plus.net [209.100.20.42]) by hub.freebsd.org (Postfix) with ESMTP id 6F30E1596B for ; Wed, 29 Sep 1999 14:45:51 -0700 (PDT) (envelope-from st@i-plus.net) Received: from ARCADIA (arcadia.i-plus.net [209.100.20.198]) by cliff.i-plus.net (8.9.3/8.9.3) with SMTP id RAA71177; Wed, 29 Sep 1999 17:44:57 -0400 (EDT) From: "Troy Settle" To: "Nathan Mahon" , Subject: RE: Need Authoritative DHCP server ... Date: Wed, 29 Sep 1999 17:44:56 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Importance: Normal Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't know of any way to *enforce* the use of DHCP using the stock daemon. I'm sure it would be possible to hack dhcpd to perform some action when it grants a lease. For example, set your IPFW to deny all traffic by default, then hack dhcp so that it adds rules to allow traffic for those IPs it has given a lease for. I don't know how well this would work, or if it would even work at all, but it might be worth looking into. > -----Original Message----- > From: Nathan Mahon [mailto:nathanm@socket.net] > Sent: Wednesday, September 29, 1999 3:46 PM > To: Troy Settle; freebsd-isp@FreeBSD.ORG > Subject: RE: Need Authoritative DHCP server ... > > > This is a good setup, however, I'm not sure that it has anything > to do with > the /*enforcment*/ part of my question. > I need something that will require that the dhcp lease match the ip/mac > address of the outgoing packet before it will actually translate it... > I've got issues of users opting not to use DHCP and entering in > the numbers > manually.... this is not something I want to allow... > So ... i need to find something that will choose not to NAT if the DHCP > lease doesn't match the originator of the packet. > Does this make any sense to anyone? > > Vaevictus Asmadi > > -----Original Message----- > From: owner-freebsd-isp@FreeBSD.ORG > [mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of Troy Settle > Sent: Wednesday, September 29, 1999 12:34 PM > To: Vaevictus Asmadi; freebsd-isp@FreeBSD.ORG > Subject: RE: Need Authoritative DHCP server ... > > > > Not sure if I'm answering your question here, but I've got a box running > natd and dhcp without problems. > > In this setup, ed0 faces the internet, and ed1 faces the internal LAN. > > > First, compile your kernel with IPFW and bpfilter. > > Second, apply these IFPW rules: > > 00100 divert 8668 ip from any to any via ed1 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 65000 allow ip from any to any > > Third, enable natd with the following options in /etc/rc.conf: > > natd_enable="YES" > natd_interface="ed1" > natd_flags="-s -m" > > > Fourth, install and configure DHCP. > >From my /etc/dhcpd.conf: > > server-identifier 10.10.100.1; > subnet 10.10.100.0 netmask 255.255.255.0 { > range 10.10.100.2 10.10.100.254; > option domain-name-servers xxx.yyy.zzz.3 xxx.yyy.zzz.4 xxx.yyy.zzz.5; > option routers 10.10.100.1; > option subnet-mask 255.255.255.0; > option broadcast-address 10.10.100.255; > default-lease-time 2592000; > max-lease-time 2592000; > } > > # match this to the subnet facing the internet > subnet xxx.yyy.zzz.0 netmask 255.255.255.0 { > } > > > Hope this helps, > > -Troy > > > > -----Original Message----- > > From: owner-freebsd-isp@FreeBSD.ORG > > [mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of Vaevictus Asmadi > > Sent: Wednesday, September 29, 1999 9:39 AM > > To: freebsd-isp@FreeBSD.ORG > > Subject: Need Authoritative DHCP server ... > > > > > > I need a reliable DHCP server that will either do NAT or use > existing NAT, > > and using the NAT to enforce use of DHCP... > > Is this possible? > > Has anyone got this to work? > > > > > > Vaevictus Asmadi > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message