# how to block a MAC using dhcpd.conf?



## gardner (Aug 20, 2019)

I am currently using dhcpd-6.0.20170207_2 on 11.2R AMD64.  I use my FreeBSD system as the DHCP server and have some diagnostics and alerts fed off the logs and lease files to monitor my network.

I have an occasion now to wish to block a certain MAC address somehow, and I am not really understanding how to go about this or if it is possible via the DHCP config.  The idea I have would be to assign a specific MAC address to a non-functional subnet.  It does not have to be a genuinely secure type of blocking, just something that prevents a device from using the net until its configuration is seen to.  Is there a cookbook recipe for doing this that someone can point me to?

Thanks.


----------



## sol289 (Aug 20, 2019)

Put this to your dhcpd.conf:

```
host block_host_1 {
   hardware ethernet ho:st:ma:ca:dd:rs;
   deny booting;
}
```


----------



## T-Daemon (Aug 21, 2019)

If you want to block multiple MAC's, instead of creating a "host" statement, a "class" statement with "subclass" entries is more efficient. Link

And set "ignore" instead of "deny" (follow the thread for details).

With sol298's setting and the settings from the dhcp-user mailing list posting, the client can still set an ip address manually, if he knows the ip range.

You could append a "pool" statement to prevent this. Change the entries accordingly. Link


----------



## ralphbsz (Aug 21, 2019)

What do you mean by "block"? You can teach dhcpd to not serve booting (see above), You can teach dhcpd to give a nonsensical IP address to the port. But that doesn't block the machine. I think what you mean by "block" is: prevent IP connectivity. But connectivity is not controlled by the dhcp protocol.

Here is one possible solution: Use a packet filter or firewall (like PF), and block certain ranges of IP addresses. Then use dhcpd, as explained above, to assign an IP address that's in the blocked range to this device.

But: this is extremely leaky. First, the machine you want to block is free to ignore the IP address that it gets from DHCP, and pick any IP address it wants. Even worse, that machine can change the MAC address of its hardware and assume the identity of another machine.

MAC address filtering really only helps against casual misuse; it doesn't protect against a knowledgable hacker. I use it myself at home, so that certain machines (like laser printers) get put into a special IP address range, which is only accessible on the internal network; but I don't expect my laster printers to be taken over by intelligent hackers.


----------



## freq (Aug 21, 2019)

gardner said:


> I am currently using dhcpd-6.0.20170207_2 on 11.2R AMD64.  I use my FreeBSD system as the DHCP server and have some diagnostics and alerts fed off the logs and lease files to monitor my network.
> 
> I have an occasion now to wish to block a certain MAC address somehow, and I am not really understanding how to go about this or if it is possible via the DHCP config.  The idea I have would be to assign a specific MAC address to a non-functional subnet.  It does not have to be a genuinely secure type of blocking, just something that prevents a device from using the net until its configuration is seen to.  Is there a cookbook recipe for doing this that someone can point me to?
> 
> Thanks.


I like your unicycle.


----------



## gardner (Aug 22, 2019)

Thanks all.  The serverfault thread is just what I was looking for.  As I said, this is not a security measure, per se.  Just a forcing function to ensure the host will be configured properly.

My unicycle is a Kris Holms custom mountain-uni with a fat tire.


----------

