On Sun, 10 Dec 2006 21:38:09 +0100
mouss <usebsd@free.fr> wrote:

> Steven M. Bellovin wrote:
> > Is there any way to configure ipf or pf to reject packets based on
> > the source MAC address? seems possible with pf:
>     http://www.openbsd.org/faq/pf/tagging.html
> 
> >  Failing that, is there any way to get dhclient to
> > do so?
> >
> >   if you control the dhcp server, you could assign them IPs in a
> > specific range and block this range.
> 
> I wonder if it's feasible to blackhole such machines by playing with
> arp?
> 
The specific issue is trying to block a rogue dhcp server, and in
particular one for a 1918 address range.  It's easy enough to add

	reject 192.168.0.1;

to dhclient.conf, but you wander to the next NATted network and you'll
block the legitimate server that way.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb