Re: dhcpd and static arp

Thu, 16 Feb 2006 13:08:57 -0800 

On 2/16/06, yo2lux <[EMAIL PROTECTED]> wrote:
> I have a dhcp server with following configuration:
>
> /etc/dhcpd.conf
>
> shared-network LOCAL-NET {
>        option  domain-name "my.domain";
>        option  domain-name-servers 193.231.249.1;
>
>        subnet 192.168.10.0 netmask 255.255.255.0 {
>        option routers 192.168.10.1;
>
>        range 192.168.10.32 192.168.10.127;
>        }
> }
>
> host zoltan{
>      hardware ethernet 00:50:FC:9D:81:E7;
>      fixed-address 192.168.10.127;
>      option host-name "zoltan";
> }
>
> 192.168.10.127 is my desktop pc (Windows box with mac address:
> 00:50:fc:9d:81:e7). I get IP 192.168.10.127 using DHCP.

So that part is working fine. dhcpd is doing what you asked it to- it
is assigning 192.168.10.127 to a machine with mac address
00:50:fc:9d:81:e7

> The problem is, when i set a manual IP address on Windows box for
> example 192.168.10.126 the connection between gateway and Windows box work.

dhcpd only assigns addresses, it doesn't set up network filters.

> I want to allow only IP adrress 192.168.10.127 with mac address:
> 00:50:fc:9d:81:e7 to reach the gateway. I need to use a static ARP?

no, static ARP isn't for filtering either.

I'm not quite sure what you want to happen. Here's my guess:

You want to specify which MAC addresses get which IP addresses- that
much you have working.

You want only those MAC & IP addresses assigned by DHCP to work with
your gateway. If an authorized machine changes their IP address, you
want the gateway to ignore its traffic. That part, I don't know how to
do either.

If you look at pf.conf you'll see it's easy to only allow traffic for
IP addresses in a given range, but it doesn't filter by MAC address-
that's not level 3 (if I have the jargon correct) it can be filtered
on a bridge, but adding a bridge is artificial, and anyway, how would
you tell dhcpd to add/remove filters as it granted/expired licenses?
Write a program to poll dhcpd.leases every few seconds? Ugly!

And you still have a problem- what if you have two authorized
machines, and the users switch their IP addresses...

If you really want this level of security (and I'm not sure that you
really do), what you want is the "user" option of pf.conf. I haven't
tried it, serch the pf list's archives for examples.

Reply via email to