[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: Block IP adresses via DHCP ?



On Tuesday, 09.08.2005 at 16:04 +0200, bratac@t-onleine.com wrote:

> I konw this, but this will make my netfilter Ruleset very complicated
> und slow, as you say. But I´ve seen something on some Firewall
> "Blackbox" (Fortigate I think), and now I try to do the same. In the
> "Blackbox" DHCP I could set up "static" IP Adresses to MAC Adresses.
> And the "Blackbox" bind´s automaticcly all other free IPs to it´s own
> LAN interface, so no client could use a not allowed IP Adress.

(Please reply on-list, not a private reply ...)

Well now that's a different question.  You originally asked about
stopping the use of a static IP assignment on a second machine with the
same address as one already configured on an existing machine via DHCP.

Now you're asking about stopping the use of an *unused* (as in
"unleased" by the DHCP server) address.  That's a different thing.

1. There's nothing stopping anyone on your LAN assigning *any* valid IP
as a static address on their machine, so long as (a) their MAC is
allowed to connect to the local switch, (b) the IP itself is in the
right range and has the right netmask etc. and (c) you don't try to stop
it by using MAC-based firewalling.

2. If you want to prohibit the use of an unleased IP, then your firewall
script will need to know which IPs have been leased.  I suspect you
could do this fairly easily by writing a firewall ruleset which reads a
list of IPs from a file, and additionally have a script which (a) reads
the DHCP leases file and puts the IP list into a file and (b) reloads
the firewall ruleset.  This would obviously mean reloading the firewall
ruleset each time there was a change in the DHCP leases.  A 'blackbox'
firewall could easily have been configured to do something like that, I
suppose.

Dave.
-- 
Please don't CC me on list messages!
...
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature


Reply to: