How to deny getting static ip address via pf ?

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Jul 26 12:57:51 UTC 2011 

On 26/07/2011 11:44, Yavuz Maşlak wrote:
> I use pf on freebsd as packet filter.
> 
> I have a wireless area. The users get to the internet using automatic ip
> from the dhcp server. 
> I wish to deny to assign a static ip address by manual. 
> 
> How can I do that with pf or ipfw or another thing?

Interesting problem.  Do you control the DHCP server and is it running
ISC dhcpd?  If so, you can parse the dhcpd.leases file to find all of
the addresses the DHCP server has allocated.  Then you could create
firewall rules that default to blocking the DHCP address range, but are
overridden to allow the allocated addresses.  The table feature in pf
would be a good way of implementing something like that.  (I think ipfw
has an equivalent feature nowadays too.)

It's not going to be pretty, and you'll need to update the table of
allowed addresses quite frequently, or legitimate users will find
themselves locked out of internet access.  Also it won't stop someone
who has hijacked an IP from someone else's lease.

Wondering why your users would prefer manually setting addresses rather
than using DHCP, since using DHCP takes away virtually all the effort
involved? If it's because almost all the addresses are already assigned
to leases and it takes ages to get on-line, then two courses of action
suggest themselves:

   1) Serve a larger address range through DHCP and/or make the lease
      times shorter.  Assuming you're behind a NAT gateway, this
      shouldn't be particularly hard to set up.

   2) Look at the 'adaptive-lease-time-threshold' setting in dhcpd.conf
      -- this says to dynamically shorten lease times once address pool
      usage goes above a threshold percentage.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20110726/f75ffadb/signature.pgp

More information about the freebsd-questions mailing list