-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com]
Sent: Wednesday, April 29, 2009 7:09 PM
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)
>
>
>It can't, that's a popular misconception of nearly everyone who wants
>something like this from my experience - it can protect the system
>it's running on, but does nothing for the rest of your network. The
>proper way to handle L2 mischief is to configure your switches
>appropriately so it can't happen. There may be some value in running
>it on the firewall for the WAN side where you normally can't control
>things. I haven't looked at this solution in particular in any depth
>so I'm not sure if it really provides any value.
>
>--------------------------------------------------------------------->
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
With Special requirements in DHCP server which FreeBSD provides,
And the secondary IP option, IPfilter.
if you assigned to a client 10.10.10.30/32 with Default Gateway 1.1.1.1
and block all traffic to 10.0.0.1 except DHCP and DNS, ICMP 8 and 11 to have
Ping and trace route working
this client will only see and talk with 1.1.1.1 only.
And use 10.0.0.1 for DNS, DHCP only
LAN IP 10.0.0.1/8
Sec. IP 1.1.1.1/32
DHCP Server Special Orders,
Default Gateway 1.1.1.1
DNS 10.0.0.1
And I guess it will be pools
subnet 10.0.0.0 netmask 255.0.0.0 {
option routers 1.1.1.1;
# Unknown clients get this pool.
pool {
option domain-name-servers bogus.example.com;
max-lease-time 300;
range 10.1.1.1 10.1.1.253;
allow unknown-clients;
}
# Known clients get this pool.
pool {
option domain-name-servers ns1.example.com, ns2.example.com;
max-lease-time 28800;
range 10.10.10.5 10.10.10.199;
deny unknown-clients;
}
}
Now we need to have DHCP assign /32 for clients, and I don't get it how it
could be done
Best regards,
Mohammed Ismail. | 