Deny DHCP Address by MAC?

Glenn Satchell glenn.satchell at uniq.com.au
Sun Jul 18 11:34:17 UTC 2010 

Probably about the same as my nearly 50-year-old memory too :-)

Anyway, the whole class idea is way more elegant than a bunch of host 
entries. And far more efficient as you get more sub-class members.

regards,
-glenn

On 07/18/10 01:14, Jeff Wieland wrote:
> Glenn, you're right.  Darn my nearly 50-year-old memory anyway :-).
>
> Glenn Satchell wrote:
>> The other way is to use a host statement, eg:
>>
>> host "black1" {
>> hardware ethernet 00:12:ba:1d:c1:b7;
>> ignore booting;
>> }
>>
>> I thought the difference between ignore and deny booting was that deny
>> booting logs a message each time the client requests an address. If
>> the client requests frequently this could fill your log file pretty
>> quickly.
>>
>> Note that the user can still manually configure an Ip address, so this
>> is not a perfect solution.
>>
>> regards,
>> -glenn
>>
>> On 07/17/10 06:38, Jeff Wieland wrote:
>>> What we usually do is to create a class called something like
>>> "black-hole",
>>> and then use subclasses to match on it. Something like:
>>>
>>> class "black-hole" {
>>> match substring (hardware, 1, 6);
>>> # deny booting;
>>> ignore booting;
>>> }
>>> subclass "black-hole" 00:12:ba:1d:c1:b7;
>>> subclass "black-hole" 00:12:df:b6:7b:e7;
>>>
>>> You can have as many of the "subclass" statements as you need. This
>>> uses an
>>> ignore booting command, which causes dhcpd to do nothing when it see
>>> that
>>> MAC address. If you comment out the "ignore booting" and uncomment the
>>> "deny booting", it will send an DHCPNAK (IIRC) to the client instead.
>>>
>>> Tim Evans wrote:
>>>> A .EDU with insecure offices, network outlets, and labs, is trying to
>>>> track down a rogue DHCP client on their network that also happens to
>>>> be infected with conficker.
>>>>
>>>> They have a completely open DHCP setup (this is the entire dhcpd.conf
>>>> file):
>>>>
>>>> ddns-update-style ad-hoc;
>>>> authoritative;
>>>> subnet 192.168.9.0 netmask 255.255.255.0 {
>>>> range 192.168.9.125 192.168.9.200;
>>>> option subnet-mask 255.255.255.0;
>>>> option broadcast-address 192.168.9.255;
>>>> option routers 192.168.9.1;
>>>> option domain-name-servers 192.168.9.4;
>>>> option domain-name "xxx.xxx.xxx";
>>>> }
>>>>
>>>> Any connected machine can get an address from the range specified in
>>>> the config file. Bouncing this one's lease merely results in it
>>>> getting a new one.
>>>>
>>>> They know the rogue machine's MAC address, of course. Can they deny it
>>>> a DHCP address based only on the MAC? How? Thanks.
>>>
>>>
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>>
>

More information about the dhcp-users mailing list