I'm new to this list, so please take it easy on me. :-)
I wanted to check in with the gurus here first before going at this one
just yet. I've read over the mailing list and as far as I could tell, I
didn't see any mention of this feature or anyone ask for it.
Basically, m0n0wall 1.3 already has options to reserve IPs by MAC or
only respond to certain MAC clients and ignore all others. What I wanted
to do was add another option for the DHCP server that would allow you to
build an "ignore" list basically for DHCP based on the MAC address of
the client. I've read over the documentation for the DHCP server
software that m0n0wall uses and as far as I can tell, it does support
such an option.
It would work similar to the DHCP reservation list, except it would just
be a separate section below it. Any client MAC added to the address
would be ignored by the DHCP server and not assigned an IP.
The reasons I'm sure that will be asked is, why?
A few that I wanted to get this feature in.
1) Ignore virus infected machines so that they will just not get an IP
until they can fixed/cleaned/etc. Basically, if it is a windows machine
(which well about 97% of them will be), will keep it off of the rest of
the network in just the microsoft private IP range until an admin or
friend can fix the machine.
2) Fail over DHCP servers. For environments that have two m0n0wall
machines on the same network serving different IP ranges to the same
client base, one could have certain IPs blacklisted from one m0n0wall
machine so that they are never assigned to the second m0n0wall machine
in case the DHCP reservations are important that they remain assigned to
just one certain m0n0wall machine.
3) Rogue machine control, in case there is a client on the network that
is causing issues and the user is just not aware of it (similar to a
virus machine, maybe it's a spam spewing trojan infection for example)
It's not meant to be a hacker prevention option, more of a "grandmom's
computer is infected and I don't have time to fix it" kind of option or
a way to ban non-technical users from the network.
I'm still a newbie to m0n0wall development, but I'm guessing such a
feature means about 3 things, writing the config for the DHCP server
correctly, writing the configuration changes correctly, and testing out
a second menu system within DHCP to make sure it doesn't break the
already existing features there.
Any feedback would certainly be welcome.