Re: Dhcp+IP adresses+firewall

[Eric Sisler <esisler westminster lib co us>]

Tomas Tikovsky <Tikovsky Tomas cmkos cz>

>I need to setup a dhcp to serve ip addreses to clients.
>How can i prevent users from connection to internet when they configure
>they pc's by themselves?

I'm not quite sure I understand the question, so let me rephrase it - Do
you mean than only those PC's that have received an IP address from your
dhcp server should be allowed to get to the internet and that if the user
manually configures the IP address, etc., they should have no access to the
internet?

If that's what you're trying to do, I'm not aware of any foolproof method
of doing so.  You can restrict internet access to those IP addresses in
your DHCP pool with ipfwadm/ipchains, but a reasonably smart user could
pick an IP address in your pool and configure their PC with it.  This would
likely cause IP address conflicts and you could probably spot troublemakers
fairly easily this way.  Another possibility would be to use some security
software on the PC's (I'm assuming Win 9x/NT for the moment) that would
prevent users from changing the network settings - thus forcing them to use
dhcp.  You could then assign all PC's an address via dhcp and create allow
rules with ipfwadm/ipchains for those IP addresses that should be allowed
internet access.  You may have to statically assign IP addresses with dhcp
if the same PC's should always have internet access.  We use DHCP for just
this purpose.  It takes a little work to get it setup initially, but after
that each PC always gets the same IP address.

HTH

-Eric


Eric Sisler
Library Computer Technician
Westminster Public Library
Westminster, CO, USA
esisler westminster lib co us

Linux - don't fear the Penguin.
Want to know what we use Linux for?
Visit http://gromit.westminster.lib.co.us/linux