[ previous ] [ next ] [ threads ]
 From:  KnightMB <knightmb at knightmb dot dyndns dot org>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  New Feature - DHCP Ignore MAC address
 Date:  Thu, 07 Jan 2010 00:11:09 -0600
Hi everyone,
I'm new to this list, so please take it easy on me. :-)

I wanted to check in with the gurus here first before going at this one 
just yet. I've read over the mailing list and as far as I could tell, I 
didn't see any mention of this feature or anyone ask for it.

Basically, m0n0wall 1.3 already has options to reserve IPs by MAC or 
only respond to certain MAC clients and ignore all others. What I wanted 
to do was add another option for the DHCP server that would allow you to 
build an "ignore" list basically for DHCP based on the MAC address of 
the client. I've read over the documentation for the DHCP server 
software that m0n0wall uses and as far as I can tell, it does support 
such an option.

It would work similar to the DHCP reservation list, except it would just 
be a separate section below it. Any client MAC added to the address 
would be ignored by the DHCP server and not assigned an IP.

The reasons I'm sure that will be asked is, why?

A few that I wanted to get this feature in.

1) Ignore virus infected machines so that they will just not get an IP 
until they can fixed/cleaned/etc. Basically, if it is a windows machine 
(which well about 97% of them will be), will keep it off of the rest of 
the network in just the microsoft private IP range until an admin or 
friend can fix the machine.

2) Fail over DHCP servers. For environments that have two m0n0wall 
machines on the same network serving different IP ranges to the same 
client base, one could have certain IPs blacklisted from one m0n0wall 
machine so that they are never assigned to the second m0n0wall machine 
in case the DHCP reservations are important that they remain assigned to 
just one certain m0n0wall machine.

3) Rogue machine control, in case there is a client on the network that 
is causing issues and the user is just not aware of it (similar to a 
virus machine, maybe it's a spam spewing trojan infection for example)

It's not meant to be a hacker prevention option, more of a "grandmom's 
computer is infected and I don't have time to fix it" kind of option or 
a way to ban non-technical users from the network.

I'm still a newbie to m0n0wall development, but I'm guessing such a 
feature means about 3 things, writing the config for the DHCP server 
correctly, writing the configuration changes correctly, and testing out 
a second menu system within DHCP to make sure it doesn't break the 
already existing features there.

Any feedback would certainly be welcome.