[ale] ISC DHCPD config question

Brian MacLeod nym.bnm at gmail.com
Wed Aug 14 17:05:32 EDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is looking more and more like something I did at a previous job
in order to restrict access to "unknown" clients.

Basically, if your MAC address wasn't known to the DHCP server, if
available, hand out from a small pool of IP addresses that are
firewalled to go only to the local lans, all other outbound traffic
blocked.  That left us the capability of fixing the machine with
locally stored packages, and getting to the registration page, which
put these entries in a light weight DB and generated new dhcpd.conf
files, which were reloaded at 10 minutes.

In your case, you wouldn't need a DB since you're only dealing with
known addresses anyway.  You could have short leases (say, 5-10
minutes), and when a cronjob kicks in, swap the dhcpd.conf files, with
addresses that go to a "dead" pool.

That "dead" pool is firewalled/proxied/whatever you want.

This would keep you from having to worry about subnets.  It could also
teach the kid how to manually change the address if they watched this
event happen...so...

Maybe this as a first step, then get into the subnetting and ip helper
address fun (one way to get DHCP to answer on multiple subnets).


In the following example, firewall outbound everything from
192.168.1.64/26 (255.255.255.192).

You could even take the class and subclass statements, make them an
included file in dhcpd.conf, and simply have the cronjob pivot the
entries in that file/or switch between two files with the kid's MAC
listed in restricted or unrestricted, and leave your main dhcpd.conf
intact :-)  Don't forget the reload.


HACKED UP EXAMPLE FROM dhcpd.conf man and your example:
****************

class "restricted" {
	match pick-first-value (option dhcp-client-identifier, hardware);
       }

class "unrestricted" {
	match pick-first-value (option dhcp-client-identifier, hardware);
       }

subclass "restricted" 1:8:0:2b:4c:39:ad;
subclass "unrestricted" 1:8:0:2b:a9:cc:e3;

subnet 192.168.1.0 netmask 255.255.255.0 {
	option domain-name-servers 192.168.1.115, 4.2.2.1, 192.168.1.254;
	option routers 192.168.1.254;
	option broadcast-address 192.168.1.255;
	default-lease-time 600;
	max-lease-time 600;
	pool {
		allow members of "restricted";
		range 192.168.1.64 192.168.1.127;
         }
         pool {
         	allow members of "unrestricted";
         	range 192.168.1.128 192.168.1.191;
         }
}


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQE4BAEBCAAiBQJSC/EcGxhoa3A6Ly9rZXlzZXJ2ZXIudWJ1bnR1LmNvbQAKCRD5
XCJY/q4Y6BElB/49yeOgKmVJu05b23Swp7pPRO1RFaMjqpGJ7Gp5lUE7dCYTX0oM
KRTxSuQuI9lThoYK1uznPghciLjZkZt/c41sE1UZvptsEwFy4GZn+q5zMToqUoP7
jpOyM2J/tL9+dHWCRlEa1iPIjY4oPlN8tfHrI0DMNyi5QKPi7/opPPHWO4afr/ci
Bf+a84i7wEwlUHzQG5zr6E1k3TqAbcnoFotmprEp2J5TMM/gZCLnpyDU1rCZ4zK5
DpWOiNBAIrArXQaiBSo3YqGBIzo7nBaiiU9A3rmuhQdORJHlrzPtCewLW2MrVn90
UF4jrdS2ejEeWo4/VpJMcN042P870h1lssV5
=1Zex
-----END PGP SIGNATURE-----

More information about the Ale mailing list