[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: checking the not allowed changing of IP's



On Mon, Oct 15, 2001 at 11:49:19PM +0200, Imran Geriskovan wrote:
> Hi,
> 
> We use DHCP in our LAN.
> I wonder if I can block any traffic generated by any
> local computer which did NOT get its IP from DHCP server.
> (DHCP server and gateway/firewall are on the same box)
> 
> Any ideas?

You could write scripts to add/delete firewall rules when
certain "events" happen to the DHCP server.  I think ISC dhcp
supports this sort of thing.  Check the man page.

The idea is that when the DHCP server hands out a lease to a
certain machine, your script gets run to add a rule allowing
'Net access.  When the lease expires, the DHCP server calls your
script to remove the rule.

Also, if you have a small enough number of machines on your lan,
you could build up a list of the machines/mac addresses and use
arpwatch to see when someone's changed their IP address.  Then
go and tell them not to.

-- 
Michael Wood
mwood@its.uct.ac.za



Reply to: