On 26/07/2011 11:44, Yavuz Maşlak wrote: > I use pf on freebsd as packet filter. > > I have a wireless area. The users get to the internet using automatic ip > from the dhcp server. > I wish to deny to assign a static ip address by manual. > > How can I do that with pf or ipfw or another thing?
Interesting problem. Do you control the DHCP server and is it running
ISC dhcpd? If so, you can parse the dhcpd.leases file to find all of
the addresses the DHCP server has allocated. Then you could create
firewall rules that default to blocking the DHCP address range, but are
overridden to allow the allocated addresses. The table feature in pf
would be a good way of implementing something like that. (I think ipfw
has an equivalent feature nowadays too.)
It's not going to be pretty, and you'll need to update the table of
allowed addresses quite frequently, or legitimate users will find
themselves locked out of internet access. Also it won't stop someone
who has hijacked an IP from someone else's lease.
Wondering why your users would prefer manually setting addresses rather
than using DHCP, since using DHCP takes away virtually all the effort
involved? If it's because almost all the addresses are already assigned
to leases and it takes ages to get on-line, then two courses of action
suggest themselves:
1) Serve a larger address range through DHCP and/or make the lease
times shorter. Assuming you're behind a NAT gateway, this
shouldn't be particularly hard to set up.
2) Look at the 'adaptive-lease-time-threshold' setting in dhcpd.conf
-- this says to dynamically shorten lease times once address pool
usage goes above a threshold percentage.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
