How to deny getting static ip address via pf ?

Balázs Mátéffy repcsike at gmail.com
Tue Jul 26 13:05:47 UTC 2011 

2011/7/26 Matthew Seaman <m.seaman at infracaninophile.co.uk>

> On 26/07/2011 11:44, Yavuz Maşlak wrote:
> > I use pf on freebsd as packet filter.
> >
> > I have a wireless area. The users get to the internet using automatic ip
> > from the dhcp server.
> > I wish to deny to assign a static ip address by manual.
> >
> > How can I do that with pf or ipfw or another thing?
>
> Interesting problem.  Do you control the DHCP server and is it running
> ISC dhcpd?  If so, you can parse the dhcpd.leases file to find all of
> the addresses the DHCP server has allocated.  Then you could create
> firewall rules that default to blocking the DHCP address range, but are
> overridden to allow the allocated addresses.  The table feature in pf
> would be a good way of implementing something like that.  (I think ipfw
> has an equivalent feature nowadays too.)
>
> It's not going to be pretty, and you'll need to update the table of
> allowed addresses quite frequently, or legitimate users will find
> themselves locked out of internet access.  Also it won't stop someone
> who has hijacked an IP from someone else's lease.
>
> Wondering why your users would prefer manually setting addresses rather
> than using DHCP, since using DHCP takes away virtually all the effort
> involved? If it's because almost all the addresses are already assigned
> to leases and it takes ages to get on-line, then two courses of action
> suggest themselves:
>
>   1) Serve a larger address range through DHCP and/or make the lease
>      times shorter.  Assuming you're behind a NAT gateway, this
>      shouldn't be particularly hard to set up.
>
>   2) Look at the 'adaptive-lease-time-threshold' setting in dhcpd.conf
>      -- this says to dynamically shorten lease times once address pool
>      usage goes above a threshold percentage.
>
>        Cheers,
>
>        Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                  Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
> JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW
>
>
Hi,

I would run a perl program as a daemon that would parse the dhcp logs for
given IPs, then I would load those IPs to a PF table, which that way could
contain the trusted hosts, which you would then pass packets from and to.
This could work IMHO. But this aproach to the problem can contain serious
flaws...

Best Regards,

Balazs.

More information about the freebsd-questions mailing list