On Wed, May 23, 2012 at 10:39 AM, Tom Eastep <teastep@shorewall.net> wrote:
On 05/23/2012 08:06 AM, Lee Brown wrote:
> Hello everybody,
> Is there a tool that can, for a new connection, verify that the RFC1918
> IP match what was assigned by DHCP? (firewall gateway with DHCP for
> inside clients, to a few ISP's on the outside)
> The obvious effect would be to block traffic for self-assigned IP addresses.
> My flailing around on google has yielded nothing helpful.  I'm not the
> best at guessing good search terms, so please feel free to throw those
> at me.


I'm sorry Tom, but I don't understand how the leases assigned from the DHCP server automatically add MAC's it has given an address out to, nor remove MAC's for expired leases.
If I understand the example correctly, that is essentially accepting traffic from a fixed list, maclist is a static filter, correct?

Maybe an example would help clarify:

My firewall/gateway/DHCP server is at

Guest1 plugs in their laptop and the DHCP server assigns say to 00:01:02:03:04:05 for 1 hour
Guest2 plugs in their laptop and self-assigns themselves as 00:11:22:33:44:55

firewall should forward traffic from
firewall should block traffic from not really relevant

Guest1 unplugs their laptop and walks away.  A little under an hour later firewall blocks traffic from

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Shorewall-users mailing list