Date: Wed, 29 Sep 1999 17:44:56 -0400 From: "Troy Settle" <st@i-plus.net> To: "Nathan Mahon" <nathanm@socket.net>, <freebsd-isp@FreeBSD.ORG> Subject: RE: Need Authoritative DHCP server ... Message-ID: <NDBBKPEMLJEBDEPFNHOHAEEJCAAA.st@i-plus.net> In-Reply-To: <NDBBIOANCLGLNFOCLGEOKEEJCBAA.nathanm@socket.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I don't know of any way to *enforce* the use of DHCP using the stock daemon.
I'm sure it would be possible to hack dhcpd to perform some action when it
grants a lease. For example, set your IPFW to deny all traffic by default,
then hack dhcp so that it adds rules to allow traffic for those IPs it has
given a lease for.
I don't know how well this would work, or if it would even work at all, but
it might be worth looking into.
> -----Original Message-----
> From: Nathan Mahon [mailto:nathanm@socket.net]
> Sent: Wednesday, September 29, 1999 3:46 PM
> To: Troy Settle; freebsd-isp@FreeBSD.ORG
> Subject: RE: Need Authoritative DHCP server ...
>
>
> This is a good setup, however, I'm not sure that it has anything
> to do with
> the /*enforcment*/ part of my question.
> I need something that will require that the dhcp lease match the ip/mac
> address of the outgoing packet before it will actually translate it...
> I've got issues of users opting not to use DHCP and entering in
> the numbers
> manually.... this is not something I want to allow...
> So ... i need to find something that will choose not to NAT if the DHCP
> lease doesn't match the originator of the packet.
> Does this make any sense to anyone?
>
> Vaevictus Asmadi
>
> -----Original Message-----
> From: owner-freebsd-isp@FreeBSD.ORG
> [mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of Troy Settle
> Sent: Wednesday, September 29, 1999 12:34 PM
> To: Vaevictus Asmadi; freebsd-isp@FreeBSD.ORG
> Subject: RE: Need Authoritative DHCP server ...
>
>
>
> Not sure if I'm answering your question here, but I've got a box running
> natd and dhcp without problems.
>
> In this setup, ed0 faces the internet, and ed1 faces the internal LAN.
>
>
> First, compile your kernel with IPFW and bpfilter.
>
> Second, apply these IFPW rules:
>
> 00100 divert 8668 ip from any to any via ed1
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 65000 allow ip from any to any
>
> Third, enable natd with the following options in /etc/rc.conf:
>
> natd_enable="YES"
> natd_interface="ed1"
> natd_flags="-s -m"
>
>
> Fourth, install and configure DHCP.
> >From my /etc/dhcpd.conf:
>
> server-identifier 10.10.100.1;
> subnet 10.10.100.0 netmask 255.255.255.0 {
> range 10.10.100.2 10.10.100.254;
> option domain-name-servers xxx.yyy.zzz.3 xxx.yyy.zzz.4 xxx.yyy.zzz.5;
> option routers 10.10.100.1;
> option subnet-mask 255.255.255.0;
> option broadcast-address 10.10.100.255;
> default-lease-time 2592000;
> max-lease-time 2592000;
> }
>
> # match this to the subnet facing the internet
> subnet xxx.yyy.zzz.0 netmask 255.255.255.0 {
> }
>
>
> Hope this helps,
>
> -Troy
>
>
> > -----Original Message-----
> > From: owner-freebsd-isp@FreeBSD.ORG
> > [mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of Vaevictus Asmadi
> > Sent: Wednesday, September 29, 1999 9:39 AM
> > To: freebsd-isp@FreeBSD.ORG
> > Subject: Need Authoritative DHCP server ...
> >
> >
> > I need a reliable DHCP server that will either do NAT or use
> existing NAT,
> > and using the NAT to enforce use of DHCP...
> > Is this possible?
> > Has anyone got this to work?
> >
> >
> > Vaevictus Asmadi
> >
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-isp" in the body of the message
> >
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBKPEMLJEBDEPFNHOHAEEJCAAA.st>