Re: [m0n0wall] deny certain mac address from getting an ip?

From:	"Chris Buechler" <cbuechler at gmail dot com>
To:	YvesDM <ydmlog at gmail dot com>
Cc:	m0n0wall <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] deny certain mac address from getting an ip?
Date:	Sun, 15 Jun 2008 03:22:34 -0400

On Sun, Jun 15, 2008 at 2:53 AM, YvesDM <ydmlog at gmail dot com> wrote:
> Hi,
>
> I need to avoid certain mac addresses to even get an dhcp lease from
> m0n0wall.
> I find the "deny unknown clients" under the dhcpserver options, but I want
> the opposite.
> For example mac address xx:yy:xx:xx:xx:yy can NOT retrieve an ip address
> over dhcp.
> Can this be done somehow?
>

Not that I'm aware of.

> Note: I know i can block the client on the firewall,  but i talk about a
> virus infected box here taking the whole network down.
> I already tried to  add a static assignment and block him with a rule on the
> lan interface, but he still takes the mono down, so I want to avoid he even
> gets an ip address.

I have seen networks in the past with a single virus infected host
exhausting m0n0wall's state table. Dropping everything from that host
and resetting the state table prevented it from causing any problems.

Normally the problems virus hosts cause with m0n0wall is exhausting
the state table and dropped traffic doesn't get a state, so that will
usually fix the problem. You sure you had the rule, ordering, etc.
correct?  If so I don't know what else to suggest, that's always
worked for me.

-Chris