exclude addresses
Sten Carlsen
sten at s-carlsen.dk
Thu Jan 10 08:08:58 UTC 2008
I would say that it depends on the actual network setup and size. In my
case I have a small ntwork and there is no router I could use for that.
I also want this to be a "catch all" solution, so if you are not known
you get no real access even if you have not been seen before.
In your case I understand there is a big network with routers you can
use, so that is one obvious solution.
It depends on the situation also, is this a device that should not be in
the network and that you can not remove physically? Is it operated by
some smart guy, then he could just give it a new MAC address, that would
take a few minutes in most cases. If it is a laptop, you would have to
block that MAC in all routers.
On the other hand it has to be a very large network to actually use all
the space in the private ranges, 10.x.x.x alone is 16mill addresses. Or
a very large assignment for every subnet.
You could use some of the bogon addresses and filter for those
(http://www.cymru.com/Bogons/). Using such an address would also
minimise the access it could get to the world.
As mentioned the cure depends on the task.
Ron Croonenberg wrote:
> where I work we have a pretty large network and those private nets are
> already in use by different depts
>
> as for @ home, why not use MAC based filtering on the router?
>
> Sten Carlsen wrote:
>> Hi
>>
>> I have set this up at my house, I use an address range for normal
>> hosts 192.168.x.x, I have set up another range for unknown hosts
>> 10.0.0.x, gateway, DNS, ... is set differently than the ones for
>> normal access.
>>
>> This looks to the uninvited like the standard setup you will get from
>> an unprotected AP in its default setup. The idea is that the "guest"
>> will believe that I have some AP in its default setup but have so few
>> abilities that I have not been able to get it connected to the
>> internet. The hope is that he will go to the next place.
>>
>> So basically I give these guys an address but a non-functional address.
>>
>>
>> If people really want access, you have only routers and VLANs to play
>> with. None of this dhcpd setup will prevent manually set addresses.
>>
>>
>> Ron Croonenberg wrote:
>>> Hi Stan,
>>>
>>> I tried assigning 0.0.0.0 and 169.254.x.y but somehow that
>>> client sees that it is a 'worthless' address ad keeps using the old
>>> address it 'stole'.
>>>
>>> I noticed that with 'deny booting' it uses the old address too
>>> even after trying to get an address with dhcp
>>>
>>>
>>>
>>> Sten Carlsen wrote:
>>>> How about a host declaration with "deny booting"?
>>>>
>>>> On the other hand you could give him a special IP, that has no
>>>> routing anywhere. Make a new range, set all parameters seemingly
>>>> like they should be, but make sure your firewall knows that this
>>>> range must not go anywhere.
>>>>
>>>> This way the unwanted guest will have a harder time to figure out
>>>> what happened.
>>>>
>>>> In the archives there is an example on this. Somewhere.
>>>>
>>>> Brian Raaen wrote:
>>>>> you can try creating a class that has that mac address in a
>>>>> subclass. Then you can block that mac address in any pool you
>>>>> want. I have attached the relevant part of the dhcpd.conf man page.
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
More information about the dhcp-users
mailing list