How to deny getting static ip address via pf ?

Eric S Pulley pulley at
Tue Jul 26 18:18:15 UTC 2011

On Tue, July 26, 2011 9:01 am, Chuck Swiger wrote:
> On Jul 26, 2011, at 3:44 AM, Yavuz MaÅŸlak wrote:
>> I use pf on freebsd as packet filter.
>> I have a wireless area. The users get to the internet using automatic ip
>> from the dhcp server.
>> I wish to deny to assign a static ip address by manual.
> You can't prevent someone from doing manual configuration.
> If you were connecting via a smart switch, you can configure MAC address
> filtering on each of the switch ports and then use DHCPd to only assign
> each MAC to the right range or static IP, and then use an IP-based
> firewall to control traffic from there.  If a user tried to spoof some
> other MAC, the switch would block such traffic.
> However, with wireless, nothing prevents the users from spoofing other
> MACs.
> Regards,
> --
> -Chuck

If your purpose is to deny a person the ability to add themselves manually
to your local net and then get to other networks this is a perfect example
of the use for authpf. Combine authpf with port security on your local
switch (if you have that functionality).

But they can still spoof their MAC so it doesn't protect the local wifi
subnet much. Only thing I know works 100% is to set up a wifi net that is
unrouted with nothing in it but a VPN concentrator, once someone connects
to the wifi net then they establish an encrypted VPN connection that will
route the VPN traffic in/out of the wifi net.

Might be an interesting project for someone to add a PKI auth layer to the
DHCP protocol if someone hasn't already . I can think of several uses for

Of course Cisco has something that might work for you:
I'd rather figure something else out than pay them for their crap though.

More information about the freebsd-questions mailing list