[ previous ] [ next ] [ threads ]
 
 From:  "Mohammed Ismail" <m dot ismael at gmail dot com>
 To:  "'Chris Buechler'" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)
 Date:  Thu, 30 Apr 2009 23:22:50 +0200
-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Wednesday, April 29, 2009 7:09 PM
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)
>
>
>It can't, that's a popular misconception of nearly everyone who wants
>something like this from my experience - it can protect the system
>it's running on, but does nothing for the rest of your network. The
>proper way to handle L2 mischief is to configure your switches
>appropriately so it can't happen. There may be some value in running
>it on the firewall for the WAN side where you normally can't control
>things. I haven't looked at this solution in particular in any depth
>so I'm not sure if it really provides any value.
>
>--------------------------------------------------------------------->
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

With Special requirements in DHCP server which FreeBSD provides,
And the secondary IP option, IPfilter. 
if you assigned to a client 10.10.10.30/32 with Default Gateway 1.1.1.1 
and block all traffic to 10.0.0.1 except DHCP and DNS, ICMP 8 and 11 to have
Ping and trace route working
this client will only see and talk with 1.1.1.1 only.
And use 10.0.0.1 for DNS, DHCP only

LAN IP 10.0.0.1/8
Sec. IP 1.1.1.1/32
DHCP Server Special Orders,
Default Gateway 1.1.1.1
DNS 10.0.0.1
And I guess it will be pools  
subnet 10.0.0.0 netmask 255.0.0.0 {
	 option routers 1.1.1.1;

	 # Unknown clients get this pool.
	 pool {
	   option domain-name-servers bogus.example.com;
	   max-lease-time 300;
	   range 10.1.1.1 10.1.1.253;
	   allow unknown-clients;
	 }

	 # Known clients get this pool.
	 pool {
	   option domain-name-servers ns1.example.com, ns2.example.com;
	   max-lease-time 28800;
	   range 10.10.10.5 10.10.10.199;
	   deny unknown-clients;
	 }
       }
Now we need to have DHCP assign /32 for clients, and I don't get it how it
could be done

Best regards, 
Mohammed Ismail.