Limit DHCP requests with iptables - problem: Router
Juergen Northe
juergen.northe at googlemail.com
Mon Feb 7 22:46:21 UTC 2011
Since the DHCP requests are relayed through an udp-helper iptables
rules are "crutches". If you do not want to leave this path, perhaps
you can use shorewall and ask Tom Eastep for help.
If your edge switches are 801.x capable you might have a look at
freeradius where you can not only control network access via MAC but
even push an ip-address with the accept packet. In this case you'll
push your issue to the authenticator and the authenticaiton server. So
your printer can only be a member of your network with a valid IP and
this one he'll get at the entrance.
2011/2/7 Friesen, Don SSBC:EX <Don.Friesen at gov.bc.ca>:
>
>>>
>>> That won't work because all his dhcp queries come with the same
>>> MAC address - the router which is forwarding them.
>>>
>>>
>>
>>Then you might try adding a limit test and -j ACCEPT .
>>
>>--limit rate[/second|/minute|/hour|/day]
>>Maximum average matching rate: specified as a number, with
>>an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default
>>is 3/hour.
>>
>>Dave
>
> Periodically we had printers spam our servers with requests faster that the servers we were using at the time could respond to. The solution was to block all traffic from the router for a few seconds. Two or three seconds was all it took for the printers to reset. Then the traffic was turned up again. We did this manually on the router by removing the helper addresses. So the rate limiting would be better, as automation good... yes :)
>
> This was prior to our adopting ISC DHCP. I haven't seen it since. Our only issue now is that Corp Headquarters is enforcing a managed power-off overnight with an automated power-up at 7am. When 30,000 machines turn on within a few seconds, the DHCP traffic is a bit excessive, and even our new ISC based servers can't keep up. Any such rate limiting would play havoc with our DHCP service at that time of the day, as it already takes 30 minutes to fully service all the machines. And yes, we have suggested that they stagger the start-up, but it falls on deaf ears.
>
>
> Don Friesen
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
--
mit freundlichem Gruss
Jürgen Northe
More information about the dhcp-users
mailing list