Date: Sun, 18 Apr 1999 10:00:05 +0930 From: Leigh Hart <hart@at.dotat.com> To: "thomas.uhrfelt@plymovent.se" <thomas.uhrfelt@plymovent.se> Cc: "'freebsd-net@freebsd.org'" <freebsd-net@FreeBSD.ORG> Subject: Re: DHCP - IPFW - Controlling IPs Message-ID: <199904180030.KAA01569@at.dotat.com> In-Reply-To: Your message of "Sat, 17 Apr 1999 17:14:25 %2B0200." <01BE88F5.C4660D20.thomas.uhrfelt@plymovent.se>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Thomas, Thomas Uhrfelt <thomas.uhrfelt@plymovent.se> wrote: > > I have now sucessfully installed ISC:s DHCP server on my FreeBSD > box to pass out IP:s etc. to the users on our local network, but I > Have a little thing grinding on my mind, as I am going to use DUMMYNET > and IPFW to regulate what users can and cannot do on other networks. > > Is there any way that I can check ( periodically or all the time ) > that the IP the packet is coming from really is the one that is > assigned by the DHCP daemon? What I mean is, for my ipfw rules/pipes > to work, I need to be sure that the user has just that IP I have > assigned to him. In other words, so he can't go in and change his > Win95/NT/Mac and turn off DHCP and assign an IP on his own.. > Is this possible to control at all? I don't believe there are any existing structures / programs in place to do this specifically, however, what you *can* do is monitor what's going on with arp (as long as the FreeBSD box is hearing all of the arp packets, that is). Periodically traverse the arp table (either by writing some C/Perl or using "arp -an" in a shell script) and compare the results against your authoritive list (ie: the DHCP config). Then you can respond to illegal MAC/IP pairs in a number of ways, in order of difficulty to implement: * log the information and review in retrospect, useful if your HW has physically unchangable Mac addresses, then reprimand the person; * flood ping/nuke/whatever the IP address until the offending machine crashes and dies; * hard code a proxy arp for the IP address, preventing traffic flow; or * sniff the wire and respond to all the IP's sourced packets with an ICMP "administratively-prohibited" message. Cheers Leigh -- | "By the time they had diminished | Leigh Hart, <hart@dotat.com> | | from 50 to 8, the other dwarves | CCNA - http://www.cisco.com/ | | began to suspect 'Hungry' ..." | GPO Box 487 Adelaide SA 5001 | | -- Gary Larson, "The Far Side" | http://www.dotat.com/hart/ | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904180030.KAA01569>