From owner-freebsd-net Sat Apr 17 17:31:40 1999 Delivered-To: freebsd-net@freebsd.org Received: from at.dotat.com (zed.dotat.com [203.2.134.254]) by hub.freebsd.org (Postfix) with ESMTP id DDB8B14EA4 for ; Sat, 17 Apr 1999 17:31:33 -0700 (PDT) (envelope-from hart@at.dotat.com) Received: from at.dotat.com (localhost.dotat.com [127.0.0.1]) by at.dotat.com (8.8.8/8.8.8) with ESMTP id KAA01569; Sun, 18 Apr 1999 10:00:05 +0930 (CST) Message-Id: <199904180030.KAA01569@at.dotat.com> To: "thomas.uhrfelt@plymovent.se" Cc: "'freebsd-net@freebsd.org'" Subject: Re: DHCP - IPFW - Controlling IPs In-reply-to: Your message of "Sat, 17 Apr 1999 17:14:25 +0200." <01BE88F5.C4660D20.thomas.uhrfelt@plymovent.se> Date: Sun, 18 Apr 1999 10:00:05 +0930 From: Leigh Hart Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Thomas, Thomas Uhrfelt wrote: > > I have now sucessfully installed ISC:s DHCP server on my FreeBSD > box to pass out IP:s etc. to the users on our local network, but I > Have a little thing grinding on my mind, as I am going to use DUMMYNET > and IPFW to regulate what users can and cannot do on other networks. > > Is there any way that I can check ( periodically or all the time ) > that the IP the packet is coming from really is the one that is > assigned by the DHCP daemon? What I mean is, for my ipfw rules/pipes > to work, I need to be sure that the user has just that IP I have > assigned to him. In other words, so he can't go in and change his > Win95/NT/Mac and turn off DHCP and assign an IP on his own.. > Is this possible to control at all? I don't believe there are any existing structures / programs in place to do this specifically, however, what you *can* do is monitor what's going on with arp (as long as the FreeBSD box is hearing all of the arp packets, that is). Periodically traverse the arp table (either by writing some C/Perl or using "arp -an" in a shell script) and compare the results against your authoritive list (ie: the DHCP config). Then you can respond to illegal MAC/IP pairs in a number of ways, in order of difficulty to implement: * log the information and review in retrospect, useful if your HW has physically unchangable Mac addresses, then reprimand the person; * flood ping/nuke/whatever the IP address until the offending machine crashes and dies; * hard code a proxy arp for the IP address, preventing traffic flow; or * sniff the wire and respond to all the IP's sourced packets with an ICMP "administratively-prohibited" message. Cheers Leigh -- | "By the time they had diminished | Leigh Hart, | | from 50 to 8, the other dwarves | CCNA - http://www.cisco.com/ | | began to suspect 'Hungry' ..." | GPO Box 487 Adelaide SA 5001 | | -- Gary Larson, "The Far Side" | http://www.dotat.com/hart/ | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message