Discussion:
How to deny getting static ip address via pf ?
Yavuz Maşlak
2011-07-26 10:44:59 UTC
Permalink
Hello

I use pf on freebsd as packet filter.

I have a wireless area. The users get to the internet using automatic ip
from the dhcp server.
I wish to deny to assign a static ip address by manual.

How can I do that with pf or ipfw or another thing?

thanks
Bas Smeelen
2011-07-26 11:47:57 UTC
Permalink
Post by Yavuz Maşlak
Hello
I use pf on freebsd as packet filter.
I have a wireless area. The users get to the internet using automatic ip
from the dhcp server.
I wish to deny to assign a static ip address by manual.
How can I do that with pf or ipfw or another thing?
thanks
Hi
You cannot deny a client to set a static IP address on the client machine,
except when you have control over the client machine.
You can allow access with pf or ipfw only for the DHCP address range you
give out to clients and for static addresses you may have configured
yourself on some network devices that need access. If your firewall defaults
to deny (default) all other IP addresses are denied, otherwise deny those
addresses.


DISCLAIMER: This e-mail is for the intended recipient(s) only. Access, disclosure, copying,
distribution or reliance on any of it by anyone else is prohibited. If you have received it
by mistake please let us know by reply and then delete it from your system.
Matthew Seaman
2011-07-26 12:57:39 UTC
Permalink
Post by Yavuz Maşlak
I use pf on freebsd as packet filter.
I have a wireless area. The users get to the internet using automatic ip
from the dhcp server.
I wish to deny to assign a static ip address by manual.
How can I do that with pf or ipfw or another thing?
Interesting problem. Do you control the DHCP server and is it running
ISC dhcpd? If so, you can parse the dhcpd.leases file to find all of
the addresses the DHCP server has allocated. Then you could create
firewall rules that default to blocking the DHCP address range, but are
overridden to allow the allocated addresses. The table feature in pf
would be a good way of implementing something like that. (I think ipfw
has an equivalent feature nowadays too.)

It's not going to be pretty, and you'll need to update the table of
allowed addresses quite frequently, or legitimate users will find
themselves locked out of internet access. Also it won't stop someone
who has hijacked an IP from someone else's lease.

Wondering why your users would prefer manually setting addresses rather
than using DHCP, since using DHCP takes away virtually all the effort
involved? If it's because almost all the addresses are already assigned
to leases and it takes ages to get on-line, then two courses of action
suggest themselves:

1) Serve a larger address range through DHCP and/or make the lease
times shorter. Assuming you're behind a NAT gateway, this
shouldn't be particularly hard to set up.

2) Look at the 'adaptive-lease-time-threshold' setting in dhcpd.conf
-- this says to dynamically shorten lease times once address pool
usage goes above a threshold percentage.

Cheers,

Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: ***@infracaninophile.co.uk Kent, CT11 9PW
Balázs Mátéffy
2011-07-26 13:05:46 UTC
Permalink
Post by Matthew Seaman
Post by Yavuz Maşlak
I use pf on freebsd as packet filter.
I have a wireless area. The users get to the internet using automatic ip
from the dhcp server.
I wish to deny to assign a static ip address by manual.
How can I do that with pf or ipfw or another thing?
Interesting problem. Do you control the DHCP server and is it running
ISC dhcpd? If so, you can parse the dhcpd.leases file to find all of
the addresses the DHCP server has allocated. Then you could create
firewall rules that default to blocking the DHCP address range, but are
overridden to allow the allocated addresses. The table feature in pf
would be a good way of implementing something like that. (I think ipfw
has an equivalent feature nowadays too.)
It's not going to be pretty, and you'll need to update the table of
allowed addresses quite frequently, or legitimate users will find
themselves locked out of internet access. Also it won't stop someone
who has hijacked an IP from someone else's lease.
Wondering why your users would prefer manually setting addresses rather
than using DHCP, since using DHCP takes away virtually all the effort
involved? If it's because almost all the addresses are already assigned
to leases and it takes ages to get on-line, then two courses of action
1) Serve a larger address range through DHCP and/or make the lease
times shorter. Assuming you're behind a NAT gateway, this
shouldn't be particularly hard to set up.
2) Look at the 'adaptive-lease-time-threshold' setting in dhcpd.conf
-- this says to dynamically shorten lease times once address pool
usage goes above a threshold percentage.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Hi,

I would run a perl program as a daemon that would parse the dhcp logs for
given IPs, then I would load those IPs to a PF table, which that way could
contain the trusted hosts, which you would then pass packets from and to.
This could work IMHO. But this aproach to the problem can contain serious
flaws...

Best Regards,

Balazs.
Chuck Swiger
2011-07-26 15:01:56 UTC
Permalink
Post by Yavuz Maşlak
I use pf on freebsd as packet filter.
I have a wireless area. The users get to the internet using automatic ip
from the dhcp server.
I wish to deny to assign a static ip address by manual.
You can't prevent someone from doing manual configuration.

If you were connecting via a smart switch, you can configure MAC address filtering on each of the switch ports and then use DHCPd to only assign each MAC to the right range or static IP, and then use an IP-based firewall to control traffic from there. If a user tried to spoof some other MAC, the switch would block such traffic.

However, with wireless, nothing prevents the users from spoofing other MACs.

Regards,
--
-Chuck
Eric S Pulley
2011-07-26 17:59:40 UTC
Permalink
Post by Chuck Swiger
Post by Yavuz Maşlak
I use pf on freebsd as packet filter.
I have a wireless area. The users get to the internet using automatic ip
from the dhcp server.
I wish to deny to assign a static ip address by manual.
You can't prevent someone from doing manual configuration.
If you were connecting via a smart switch, you can configure MAC address
filtering on each of the switch ports and then use DHCPd to only assign
each MAC to the right range or static IP, and then use an IP-based
firewall to control traffic from there. If a user tried to spoof some
other MAC, the switch would block such traffic.
However, with wireless, nothing prevents the users from spoofing other MACs.
Regards,
--
-Chuck
If your purpose is to deny a person the ability to add themselves manually
to your local net and then get to other networks this is a perfect example
of the use for authpf. Combine authpf with port security on your local
switch (if you have that functionality).

But they can still spoof their MAC so it doesn't protect the local wifi
subnet much. Only thing I know works 100% is to set up a wifi net that is
unrouted with nothing in it but a VPN concentrator, once someone connects
to the wifi net then they establish an encrypted VPN connection that will
route the VPN traffic in/out of the wifi net.

Might be an interesting project for someone to add a PKI auth layer to the
DHCP protocol if someone hasn't already . I can think of several uses for
it.

Of course Cisco has something that might work for you:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftdsiaa.html.
I'd rather figure something else out than pay them for their crap though.
Loading...