DHCP related problem

DHCP related problem

[PiSiC...]

[-- Attachment #1: Type: text/plain, Size: 350 bytes --]

Hi all,

I want to ask you something... You know a possibility to drop outgoing traffic of clients who define their address staticaly instead of using my DHCP server ?
I also want to allow outgoing access to those who have their IP address given by my DHCP server.

Thank you in advance,
                                         Danila Octavian

[-- Attachment #2: Type: text/html, Size: 1137 bytes --]

RE: DHCP related problem

[Matt Grogan]

You could set up DHCP with a smaller set of addresses, for example
x.x.x.100- x.x.x.110 if you only have 10 workstations. Then drop everything
accessing the Internet except for those source addresses. 

If you want to go further than that, like stop someone from getting their
information from DHCP and then statically defining it and keeping that
address, it gets a little more involved. Maybe reducing the lease time and
scripting to check that all the stations in the DHCP range are also in the
list of DHCP clients on the server would help.

Matt Grogan

________________________________________
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of PiSiC...
Sent: Tuesday, June 17, 2003 4:31 AM
To: netfilter@lists.netfilter.org

Hi all,
 
I want to ask you something... You know a possibility to drop outgoing
traffic of clients who define their address staticaly instead of using my
DHCP server ?
I also want to allow outgoing access to those who have their IP address
given by my DHCP server.
 
Thank you in advance,
                                         Danila Octavian

Re: DHCP related problem

[Julian Gomez]

On Tue, Jun 17, 2003 at 07:24:16AM -0400, Matt Grogan spoke thusly:
>If you want to go further than that, like stop someone from getting their
>information from DHCP and then statically defining it and keeping that
>address, it gets a little more involved. Maybe reducing the lease time and
>scripting to check that all the stations in the DHCP range are also in the
>list of DHCP clients on the server would help.

A slightly different angle, which just came up on the redhat-users ML a
couple of days ago; which might work is :

	-> All DHCP leases get an account created on your internal DNS
	   resolver.
	-> Your firewall refreshes your ruleset by only allowing a range
	   of DHCP IP ranges, which have a corresponding DNS forward &&
	   reverse entry.

This is similar to Win2K functionality whereby all DHCP addresses get an
automatic DNS entry created. Someone mentioned that ISC's DHCP package
supports such functionality, you might want to take a look.

There will be some scripting involved, as Matt has already allured to.

(snip rest)

Re: DHCP related problem

[PiSiC...]

 I see that i wasn't very explicit...
so... what i have: i have 12 stations in my LAN. I have set up DHCP with
FixedAdress for those.
I work in a computers service and i have a variable number of machines that
come and go .
I set up a pool for those fixed address computers and another one for
unknown clients which is more restrictive.
To get to my problem ... I want to drop anyone who sets his IP address and
GW etc. staticaly.
I want to let them access only if they request their address by DHCP.
Any hints ?

Thanks in advance ,

                Danila Octavian


----- Original Message -----
From: "Matt Grogan" <mattgrogan@nyc.rr.com>
To: "'PiSiC...'" <pisic@service.agress.ro>; <netfilter@lists.netfilter.org>
Sent: Tuesday, June 17, 2003 2:24 PM
Subject: RE: DHCP related problem


> You could set up DHCP with a smaller set of addresses, for example
> x.x.x.100- x.x.x.110 if you only have 10 workstations. Then drop
everything
> accessing the Internet except for those source addresses.
>
> If you want to go further than that, like stop someone from getting their
> information from DHCP and then statically defining it and keeping that
> address, it gets a little more involved. Maybe reducing the lease time and
> scripting to check that all the stations in the DHCP range are also in the
> list of DHCP clients on the server would help.
>
> Matt Grogan
>
> ________________________________________
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of PiSiC...
> Sent: Tuesday, June 17, 2003 4:31 AM
> To: netfilter@lists.netfilter.org
>
> Hi all,
>
> I want to ask you something... You know a possibility to drop outgoing
> traffic of clients who define their address staticaly instead of using my
> DHCP server ?
> I also want to allow outgoing access to those who have their IP address
> given by my DHCP server.
>
> Thank you in advance,
> Danila Octavian
>
>

Re: DHCP related problem

[David Busby]

The ISC DHCP server has some hooks (see man) that can notify you of a lease.
Those events could drive a script that modifies you firewall rules.

/B


----- Original Message ----- 
From: "PiSiC..." <pisic@service.agress.ro>
To: <mattgrogan@bigfoot.com>; <netfilter@lists.netfilter.org>
Sent: Tuesday, June 17, 2003 06:43
Subject: Re: DHCP related problem


> I see that i wasn't very explicit...
> so... what i have: i have 12 stations in my LAN. I have set up DHCP with
> FixedAdress for those.
> I work in a computers service and i have a variable number of machines
that
> come and go .
> I set up a pool for those fixed address computers and another one for
> unknown clients which is more restrictive.
> To get to my problem ... I want to drop anyone who sets his IP address and
> GW etc. staticaly.
> I want to let them access only if they request their address by DHCP.
> Any hints ?
>
> Thanks in advance ,
>
>                 Danila Octavian
>
>
> ----- Original Message -----
> From: "Matt Grogan" <mattgrogan@nyc.rr.com>
> To: "'PiSiC...'" <pisic@service.agress.ro>;
<netfilter@lists.netfilter.org>
> Sent: Tuesday, June 17, 2003 2:24 PM
> Subject: RE: DHCP related problem
>
>
> > You could set up DHCP with a smaller set of addresses, for example
> > x.x.x.100- x.x.x.110 if you only have 10 workstations. Then drop
> everything
> > accessing the Internet except for those source addresses.
> >
> > If you want to go further than that, like stop someone from getting
their
> > information from DHCP and then statically defining it and keeping that
> > address, it gets a little more involved. Maybe reducing the lease time
and
> > scripting to check that all the stations in the DHCP range are also in
the
> > list of DHCP clients on the server would help.
> >
> > Matt Grogan
> >
> > ________________________________________
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of PiSiC...
> > Sent: Tuesday, June 17, 2003 4:31 AM
> > To: netfilter@lists.netfilter.org
> >
> > Hi all,
> >
> > I want to ask you something... You know a possibility to drop outgoing
> > traffic of clients who define their address staticaly instead of using
my
> > DHCP server ?
> > I also want to allow outgoing access to those who have their IP address
> > given by my DHCP server.
> >
> > Thank you in advance,
> > Danila Octavian
> >
> >
>
>