Date: Wed, 31 May 2006 20:50:40 -0400 From: Eric Martin <freak4uxxx@gmail.com> Subject: [Wlug] dhcpd question To: Worcester Linux Users Group <wlug@mail.wlug.org>
Does anybody know how to block a specific mac address from getting a dhcp addres in isc dhcpd? I know I can do it with ip tables, and I know that they will still be able to set a static ip, but I need to do it this way. I have the notion I need to use pool, and set a known host and then deny, but I can't get it right. Any help would be appreciated.
Eric
Did you possibly try googling on DHCP and MAC? I know this answer is out there as I have successfully googled it before. Any help past that would require doing it for you (and $$). Joel
could you just assign that MAC a bad IP setup? like the wrong netmask or something? Would that solve your problem? --- joel d <joelgroup@gmail.com> wrote:
Date: Wed, 31 May 2006 20:50:40 -0400 From: Eric Martin <freak4uxxx@gmail.com> Subject: [Wlug] dhcpd question To: Worcester Linux Users Group <wlug@mail.wlug.org>
Does anybody know how to block a specific mac address from getting a dhcp addres in isc dhcpd? I know I can do it with ip tables, and I know that they will still be able to set a static ip, but I need to do it this way. I have the notion I need to use pool, and set a known host and then deny, but I can't get it right. Any help would be appreciated.
Eric
Did you possibly try googling on DHCP and MAC?
I know this answer is out there as I have successfully googled it before.
Any help past that would require doing it for you (and $$).
Joel _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
On Fri, Jun 02, 2006 at 12:22:22PM -0700, Mike Leo wrote:
could you just assign that MAC a bad IP setup? like the wrong netmask or something? Would that solve your problem?
fwiw, I believe the "correct" method is listed in the dhcpd.conf man page. Look for "ALLOW AND DENY WITHIN POOL DECLARATIONS". there's a way to do allow/deny. without digging further, I'd guess you make a class with the mac addr's you don't want getting addresses, then deny the class. -- Randomly Generated Tagline: "It's kind of like wanting to be in a band, but being a roadie ..." - Instructor Otten
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I am barking up the right tree. I can't get it to work yet, but it's good to know I'm on the right path. Thank you to everybody for helping. Just so everyone knows I'm listing wlug under my resources that helped me. (it's part of the class to list your resources for *everything*). Theo Van Dinter wrote:
On Fri, Jun 02, 2006 at 12:22:22PM -0700, Mike Leo wrote:
could you just assign that MAC a bad IP setup? like the wrong netmask or something? Would that solve your problem?
fwiw, I believe the "correct" method is listed in the dhcpd.conf man page. Look for "ALLOW AND DENY WITHIN POOL DECLARATIONS". there's a way to do allow/deny. without digging further, I'd guess you make a class with the mac addr's you don't want getting addresses, then deny the class.
----------------------------------------------------------------------
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEgMzYaI8VEtSi4H8RAoKQAJ0Q/E++Ox/o0/jZ7T1/ROAuyMd/IwCfbvmo aNsJfvp1xqvzubF0HwQiMSQ= =4WlG -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I figured it out. Thanks to all who helped point me in the right direction. The man page was just really hard to grasp until I took a few breaks and took a shot in the dark. Theo Van Dinter wrote:
On Fri, Jun 02, 2006 at 12:22:22PM -0700, Mike Leo wrote:
could you just assign that MAC a bad IP setup? like the wrong netmask or something? Would that solve your problem?
fwiw, I believe the "correct" method is listed in the dhcpd.conf man page. Look for "ALLOW AND DENY WITHIN POOL DECLARATIONS". there's a way to do allow/deny. without digging further, I'd guess you make a class with the mac addr's you don't want getting addresses, then deny the class.
----------------------------------------------------------------------
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEgOB8aI8VEtSi4H8RAgN1AJ9xZaS0tDZq0w1cC6nSX5OMZ69s/ACgivCU DIOlMNNaSdkUwjevEadaf6E= =yxwf -----END PGP SIGNATURE-----
So, why don't you post the answer so that others may benefit from it? -Jared On 6/2/06, Eric Martin <freak4uxxx@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I figured it out. Thanks to all who helped point me in the right direction. The man page was just really hard to grasp until I took a few breaks and took a shot in the dark.
Theo Van Dinter wrote:
On Fri, Jun 02, 2006 at 12:22:22PM -0700, Mike Leo wrote:
could you just assign that MAC a bad IP setup? like the wrong netmask or something? Would that solve your problem?
fwiw, I believe the "correct" method is listed in the dhcpd.conf man page. Look for "ALLOW AND DENY WITHIN POOL DECLARATIONS". there's a way to do allow/deny. without digging further, I'd guess you make a class with the mac addr's you don't want getting addresses, then deny the class.
----------------------------------------------------------------------
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEgOB8aI8VEtSi4H8RAgN1AJ9xZaS0tDZq0w1cC6nSX5OMZ69s/ACgivCU DIOlMNNaSdkUwjevEadaf6E= =yxwf -----END PGP SIGNATURE-----
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 #Global Declarations ddns-update-style ad-hoc; option domain-name "home.local"; default-lease-time 604800; # Default Lease 1 Week max-lease-time 1209600; # Max Lease 2 weeks authoritative; # We are the official DHCP Server for this network subnet 10.10.20.0 netmask 255.255.255.0 { authoritative; # Everybody in here will not get an ip whatsoever pool { range 10.10.20.20 10.10.20.127; deny known-clients; host slide { hardware ethernet 00:c0:9f:15:d7:3f; } } pool { range 10.10.20.128 10.10.20.253; deny unknown-clients; host fixed { hardware ethernet 00:11:22:33:44:55; # fixed-address 10.10.20.25; } } } Basically what you want is at least two pools. The first pool will do the most of your address assignments, but if you specify the host, it will deny it due to the deny known-hosts. The second pool I'm using for static assignments, but it's crucial to have the deny unknown-clients or else anybody you deny up top will be able to get an ip here. As usual, questions, comments anything else is always welcome. Jared Greenwald wrote:
So, why don't you post the answer so that others may benefit from it?
-Jared
On 6/2/06, Eric Martin <freak4uxxx@gmail.com> wrote: I figured it out. Thanks to all who helped point me in the right direction. The man page was just really hard to grasp until I took a few breaks and took a shot in the dark.
Theo Van Dinter wrote:
On Fri, Jun 02, 2006 at 12:22:22PM -0700, Mike Leo wrote:
could you just assign that MAC a bad IP setup? like the wrong netmask or something? Would that solve your problem?
fwiw, I believe the "correct" method is listed in the dhcpd.conf man page. Look for "ALLOW AND DENY WITHIN POOL DECLARATIONS". there's a way to do allow/deny. without digging further, I'd guess you make a class with the mac addr's you don't want getting addresses, then deny the class.
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEgW5baI8VEtSi4H8RAltyAJ4hPopL2xxIq8CpveaX8FAWv262zgCgjxCT 0xzC1YuLntipH0LvZ99FfRU= =D3Kf -----END PGP SIGNATURE-----
On Sat, 2006-06-03 at 07:11 -0400, Eric Martin wrote:
Basically what you want is at least two pools. The first pool will do the most of your address assignments, but if you specify the host, it will deny it due to the deny known-hosts. The second pool I'm using for static assignments, but it's crucial to have the deny unknown-clients or else anybody you deny up top will be able to get an ip here. As usual, questions, comments anything else is always welcome.
Nice work, Eric. We knew you had it in you, if you stuck with it long enough. ;) Thanks for sharing your solution, too. ....Bill
On Sat, Jun 03, 2006 at 07:11:24AM -0400, Eric Martin wrote:
# Everybody in here will not get an ip whatsoever pool { range 10.10.20.20 10.10.20.127; deny known-clients; host slide { hardware ethernet 00:c0:9f:15:d7:3f; } } pool { range 10.10.20.128 10.10.20.253; deny unknown-clients; host fixed { hardware ethernet 00:11:22:33:44:55; # fixed-address 10.10.20.25; } } }
You've made several of the classic mistakes that everyone makes at first when learning ISC dhcpd (including myself :-) ). host {} blocks are always global in scope, regardless of where in the configuration they are placed. Putting them inside pool {} blocks just confuses readers into thinking they are locally scoped. So, in this configuration both hosts "slide" and "fixed" are considered known-clients, and they will both get dynamic addresses out of the second pool unless the fixed-address was uncommented for host "fixed" in which case "deny known-clients" etc. doesn't apply at all (they only apply to dynamic assignments). Another thing: fixed-address assignments must not be inside of pool ranges. The server will not check for such conflicts of static/dynamic addressing, so you will get duplicate IP assignments to more than one client in case fixed-addresses and ranges overlap. You can exclude the fixed-addresses like this: pool { range 10.10.20.20 10.10.20.24; range 10.10.20.26 10.10.20.127; [....] } Common practice is to not intersperse fixed-addresses throughout multiple pool ranges, to prevent unwieldy configurations with multiple range statements per pool. Rather, fixed-addresses are usually assigned contiguously together outside of a single pool range. Finally, when you say "everybody in here will not get an ip whatsoever", that is not true. The "deny known-clients" implicitely does "allow unknown-clients", and vice versa, so unknown-clients (those without any matching host {} declaration) will get dynamic addresses out of the first pool.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the pointers on that, I will incorporate those changes. About that comment, I re-read the config file and I see exactly what you're talking about, I just forgot to delete the comment before I emailed this off originally. Chuck Anderson wrote:
On Sat, Jun 03, 2006 at 07:11:24AM -0400, Eric Martin wrote:
# Everybody in here will not get an ip whatsoever pool { range 10.10.20.20 10.10.20.127; deny known-clients; host slide { hardware ethernet 00:c0:9f:15:d7:3f; } } pool { range 10.10.20.128 10.10.20.253; deny unknown-clients; host fixed { hardware ethernet 00:11:22:33:44:55; # fixed-address 10.10.20.25; } } }
You've made several of the classic mistakes that everyone makes at first when learning ISC dhcpd (including myself :-) ).
host {} blocks are always global in scope, regardless of where in the configuration they are placed. Putting them inside pool {} blocks just confuses readers into thinking they are locally scoped. So, in this configuration both hosts "slide" and "fixed" are considered known-clients, and they will both get dynamic addresses out of the second pool unless the fixed-address was uncommented for host "fixed" in which case "deny known-clients" etc. doesn't apply at all (they only apply to dynamic assignments).
Another thing: fixed-address assignments must not be inside of pool ranges. The server will not check for such conflicts of static/dynamic addressing, so you will get duplicate IP assignments to more than one client in case fixed-addresses and ranges overlap. You can exclude the fixed-addresses like this:
pool { range 10.10.20.20 10.10.20.24; range 10.10.20.26 10.10.20.127; [....] }
Common practice is to not intersperse fixed-addresses throughout multiple pool ranges, to prevent unwieldy configurations with multiple range statements per pool. Rather, fixed-addresses are usually assigned contiguously together outside of a single pool range.
Finally, when you say "everybody in here will not get an ip whatsoever", that is not true. The "deny known-clients" implicitely does "allow unknown-clients", and vice versa, so unknown-clients (those without any matching host {} declaration) will get dynamic addresses out of the first pool. _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEgcPUaI8VEtSi4H8RAi7mAKCJ1C8E2FH4zJSItxUaBNukbs0o5ACfQW20 qUoOtQqOyIBa+iy+upTbTkg= =f9/t -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No, dhcpd catches any ip out of your range as an error and assigns it an address in your range. That was the first thing I tried. I know it has to do with pool's and deny a known host, but the syntax just isn't working for me. Mike Leo wrote:
could you just assign that MAC a bad IP setup? like the wrong netmask or something? Would that solve your problem?
--- joel d <joelgroup@gmail.com> wrote:
Date: Wed, 31 May 2006 20:50:40 -0400 From: Eric Martin <freak4uxxx@gmail.com> Subject: [Wlug] dhcpd question To: Worcester Linux Users Group <wlug@mail.wlug.org>
Does anybody know how to block a specific mac address from getting a dhcp addres in isc dhcpd? I know I can do it with ip tables, and I know that they will still be able to set a static ip, but I need to do it this way. I have the notion I need to use pool, and set a known host and then deny, but I can't get it right. Any help would be appreciated.
Eric Did you possibly try googling on DHCP and MAC?
I know this answer is out there as I have successfully googled it before.
Any help past that would require doing it for you (and $$).
Joel _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEgMwcaI8VEtSi4H8RAomqAKCHpWrRR+V/85gF/qt2Uo5MexjoBwCcDZKH jBSSAgsWU92Xo+rJITarezc= =eyKS -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Of course I've googled it...I find some stuff that sounds like it will work, but the syntax isn't correct. Thanks for the offer but I'm only asking for help as a last resort. I'm treating this class like a job; and in a regular line of work soliciting a mailing list is ok when you exhaust all other options. Having somebody do my work for me is another thing. joel d wrote:
Date: Wed, 31 May 2006 20:50:40 -0400 From: Eric Martin <freak4uxxx@gmail.com> Subject: [Wlug] dhcpd question To: Worcester Linux Users Group <wlug@mail.wlug.org>
Does anybody know how to block a specific mac address from getting a dhcp addres in isc dhcpd? I know I can do it with ip tables, and I know that they will still be able to set a static ip, but I need to do it this way. I have the notion I need to use pool, and set a known host and then deny, but I can't get it right. Any help would be appreciated.
Eric
Did you possibly try googling on DHCP and MAC?
I know this answer is out there as I have successfully googled it before.
Any help past that would require doing it for you (and $$).
Joel _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEgMu+aI8VEtSi4H8RAmghAJ9omc5/1/FRplFLr+wdE+vuEvmd6ACaAuVJ W8irwlPG58fU+u8WONJyzuE= =VDuI -----END PGP SIGNATURE-----
participants (7)
-
Bill Smith -
Chuck Anderson -
Eric Martin -
Jared Greenwald -
joel d -
Mike Leo -
Theo Van Dinter