[ previous ] [ next ] [ threads ]
 
 From:  Anders Hagman <anders dot hagman at netplex dot se>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] deny certain mac address from getting an ip?
 Date:  Tue, 17 Jun 2008 13:13:52 +0200
Hi
YvesDM skrev:
> On Sun, Jun 15, 2008 at 8:53 PM, Chris Buechler <cbuechler at gmail dot com> wrote:
> 
>> On Sun, Jun 15, 2008 at 1:47 PM, Lee Sharp <leesharp at hal dash pc dot org> wrote:
>>> As to assigning a bogus IP, I know the GUI does sanity checking, but does
>>> the config file?  What if you assign a static IP, save the config, change
>> it
>>> in the config to 127.0.0.1, and upload the config?  Or just give it a
>>> totally invalid IP with no route to the firewall?
>>>
>> I think that may blow up dhcpd, but if someone tries it, let us know!
>>
>> -Chris
>>
> 
> Ok, I tried this.
> It didn't blow up dhcp, that's the good news :-)
> I started with adding a bogus ip (valid ip, though from a total different
> subnet) as static mapping to my mac address in the config.xml and uploaded
> it again.
> Result: m0n0wall assigned the client simply an ip from inside its dhcp range
> and ignores the static mapping.
> 

A DHCP server will not reply with an IP address from a different subnet.

> Then I tried to do the same with the ip 127.0.0.1 in the static mapping
> config.
> Result: same as above.
>

Same role.

> Then I checked "Deny unknown clients" in the dhcp server config.
> This writes an entry in the xml named <denyunknown/>
> I tried to change it in the config to <denyknown/> (you never know :-) but
> this also didn't prevent my laptop from getting an ip out of the dhcp range.
> 
> So basicly, I could not prevent the client from getting an ip.
> If anyone knows a way to do this it would be nice to know.


Here is my "solution":
I copied a dhcp.conf file to /var/etc from the exec.php page.

------------ dhcpd.conf -----------
class "blocked" {
         match pick-first-value (option dhcp-client-identifier,hardware);
        }
subclass "blocked" 1:00:00:20:11:22:34; # client mac address

subnet 10.1.2.0 netmask 255.255.255.0 {
         pool {
                 deny members of "blocked";
                 range 10.1.2.11 10.1.2.30;
         }
}
-------------------------------

Just add subclass lines for every client to deny. Don't forget the "1" 
before the mac address. It states hardware type to ethernet.
How to put this into the gui and so on is for some one else.

/Anders