On Tuesday, 09.08.2005 at 16:04 +0200, bratac@t-onleine.com wrote: > I konw this, but this will make my netfilter Ruleset very complicated > und slow, as you say. But I´ve seen something on some Firewall > "Blackbox" (Fortigate I think), and now I try to do the same. In the > "Blackbox" DHCP I could set up "static" IP Adresses to MAC Adresses. > And the "Blackbox" bind´s automaticcly all other free IPs to it´s own > LAN interface, so no client could use a not allowed IP Adress. (Please reply on-list, not a private reply ...) Well now that's a different question. You originally asked about stopping the use of a static IP assignment on a second machine with the same address as one already configured on an existing machine via DHCP. Now you're asking about stopping the use of an *unused* (as in "unleased" by the DHCP server) address. That's a different thing. 1. There's nothing stopping anyone on your LAN assigning *any* valid IP as a static address on their machine, so long as (a) their MAC is allowed to connect to the local switch, (b) the IP itself is in the right range and has the right netmask etc. and (c) you don't try to stop it by using MAC-based firewalling. 2. If you want to prohibit the use of an unleased IP, then your firewall script will need to know which IPs have been leased. I suspect you could do this fairly easily by writing a firewall ruleset which reads a list of IPs from a file, and additionally have a script which (a) reads the DHCP leases file and puts the IP list into a file and (b) reloads the firewall ruleset. This would obviously mean reloading the firewall ruleset each time there was a change in the DHCP leases. A 'blackbox' firewall could easily have been configured to do something like that, I suppose. Dave. -- Please don't CC me on list messages! ... Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature