From owner-freebsd-questions@FreeBSD.ORG Tue Jul 26 12:57:51 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B15210656EB for ; Tue, 26 Jul 2011 12:57:51 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 0495B8FC18 for ; Tue, 26 Jul 2011 12:57:50 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id p6QCvlN2012664 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 26 Jul 2011 13:57:47 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p6QCvlN2012664 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1311685067; bh=vTv+1SLuUYZPeFRAVhtNGkrHVR7sfGauU45fZpJUeJk=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4E2EB9C3.7060506@infracaninophile.co.uk>|Date:=20T ue,=2026=20Jul=202011=2013:57:39=20+0100|From:=20Matthew=20Seaman= 20|User-Agent:=20Mozilla/5.0=20(M acintosh=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20rv:5.0)=20Gecko/201 10624=20Thunderbird/5.0|MIME-Version:=201.0|To:=20freebsd-question s@freebsd.org|Subject:=20Re:=20How=20to=20deny=20getting=20static= 20ip=20address=20via=20pf=20?|References:=20<39BA5203083441F49B797 E0E12C7B03D@desktop2002>|In-Reply-To:=20<39BA5203083441F49B797E0E1 2C7B03D@desktop2002>|X-Enigmail-Version:=201.2|OpenPGP:=20id=3D60A E908C|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha1=3B=0 D=0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20boundary= 3D"------------enig2DF316AD153650C0853E0A4C"; b=BkDBDzHzmL+V/GvTUz5axcNKUg0uk9+8jn4g+MSBGsBVjUIpnIC7TYO72pWkRp5BP IpEalHapdYAEE0mYCUqVwE6mT/fnRXjX4VuQaGYtomCPMRjGB/Xza4E3il1IMcUByX lj0I0i90rrl4hXMcNW2svjdhbQEHCXsFXuxtrL1s= Message-ID: <4E2EB9C3.7060506@infracaninophile.co.uk> Date: Tue, 26 Jul 2011 13:57:39 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <39BA5203083441F49B797E0E12C7B03D@desktop2002> In-Reply-To: <39BA5203083441F49B797E0E12C7B03D@desktop2002> X-Enigmail-Version: 1.2 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig2DF316AD153650C0853E0A4C" X-Virus-Scanned: clamav-milter 0.97.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Subject: Re: How to deny getting static ip address via pf ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2011 12:57:51 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2DF316AD153650C0853E0A4C Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: quoted-printable On 26/07/2011 11:44, Yavuz Ma=FElak wrote: > I use pf on freebsd as packet filter. >=20 > I have a wireless area. The users get to the internet using automatic i= p > from the dhcp server.=20 > I wish to deny to assign a static ip address by manual.=20 >=20 > How can I do that with pf or ipfw or another thing? Interesting problem. Do you control the DHCP server and is it running ISC dhcpd? If so, you can parse the dhcpd.leases file to find all of the addresses the DHCP server has allocated. Then you could create firewall rules that default to blocking the DHCP address range, but are overridden to allow the allocated addresses. The table feature in pf would be a good way of implementing something like that. (I think ipfw has an equivalent feature nowadays too.) It's not going to be pretty, and you'll need to update the table of allowed addresses quite frequently, or legitimate users will find themselves locked out of internet access. Also it won't stop someone who has hijacked an IP from someone else's lease. Wondering why your users would prefer manually setting addresses rather than using DHCP, since using DHCP takes away virtually all the effort involved? If it's because almost all the addresses are already assigned to leases and it takes ages to get on-line, then two courses of action suggest themselves: 1) Serve a larger address range through DHCP and/or make the lease times shorter. Assuming you're behind a NAT gateway, this shouldn't be particularly hard to set up. 2) Look at the 'adaptive-lease-time-threshold' setting in dhcpd.conf -- this says to dynamically shorten lease times once address pool usage goes above a threshold percentage. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig2DF316AD153650C0853E0A4C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4uucoACgkQ8Mjk52CukIyWXACeJ5i2D60DL+xqKYq3H/Mjx1+4 BocAn1d27fJp4PktPNuVc36Y6bo7SO5q =VZ3v -----END PGP SIGNATURE----- --------------enig2DF316AD153650C0853E0A4C--