#Configuration for SecureDHCP v0.01  Created: Thu Nov 20 20:51:27 2003

# LogLevel: Control the number of messages logged to the SecureDHCP.log.
# Possible values include: debug, verbose, standard.
# Standard is default value
LogLevel debug

#Web administration section
#127.0.0.1 is default address value
#67 is default port value
#If Username and password are omited, then no password mode
Address 127.0.0.1
Listen 67
Username andrey
Password andrey


#Configuration section

<Card0>

#enabled false by default (enabled true/false) Whole card enabled
#staticip allow by default(staticip allow/deny) 
#Allow users to popup in our segment 
#(ARPMAC random/adequate/01:02:03:04:05:06)
#adequate means answer arp reply from host which is in rules, or was on this ip
#ARPMAC used to answer arp replies(occupied) to forbidden hosts
#Seems that one computer taken all the IP's
#No DHCP not in the scopes range
enabled true

staticip allow

ARPMAC adequate

#Check leases interval, interval to check all leases to sure in their consistency
#Not less than 2 minutes 120 seconds
#Default value is 20 minutes 1200 seconds
CheckInterval 1200
#These mac and ip are used for ARP checking
#Server publishes them and answers for queries(just like virtual host)
ChkMAC 00:09:0A:78:12:0A
ChkIP 10.4.3.3

#shows allowance to take even static ip's
#NOT for scopes area
#if deny and allow rules have one ip, then the highest entry works.
allow host 11:12:13:14:15:16 take 10.4.3-7.* 1.5.7.56-189
allow host 13:14:56:33:22:22 take *.*.*.*

#if staticip were allowed 
#NOT for scopes area
#So *.*.*.* means all ip's without scopes
deny host 00:00:21:ff:00:D7 take 10.4.3.1-180
#deny host 00:05:5D:31:CA:85 take *.*.*.*
deny host 00:00:00:00:43:C3 take 10.4.3.1-25 10.4.3.27-254
deny host 14:55:66:33:11:44 take 10.4.6-15.6 89.98.77.65-78

#Scopes configuration
#If no scopes, just ip protector mode
#Scopes range superseeds our configuration
#Scope means range, where we can distribute our ip
#If mac is found first time it is tied to first selfregister allow scope

<Scope>
#enabled false by default
enabled true
#IP and MAC for virtual server in this scope(must be free)
MAC 00:09:0A:78:12:0A
IP 10.4.3.3

#DHCPServers parameter shows what to do with other working DHCP,
#Possible values: deny,intercept,allow
#Allow by default
DHCPServers intercept

ARPMAC random

#Several range instructions give us exclusions
Range 10.1.3.10-250 10.1.3.3-6

#We can staticip allow and lost our protection
#and here we got one more value <denybind>
#that means allowance of all except getting bind ips
#they are only distributed 
staticip deny

#Check leases interval, interval to check all leases to sure in their consistency
#Not less than 2 minutes 120 seconds
#Default value is 20 minutes 1200 seconds
CheckInterval 1200
#These mac and ip are used for ARP checking
#Server publishes them and answers for queries(just like virtual host)
ChkMAC 00:09:0A:78:12:0A
ChkIP 10.4.3.3

#And here we can allow static to several clients
#This is not recommended and *.*.*.* means the whole range, without bindings
#If ip address is not in the scope, just discards entry.
allow host 09:22:44:44:55:22 take *.*.*.*

#if staticip allowed we can deny as well, all these superseeded by bindings
deny host 03:44:56:73:22:67 take *.*.*.*

#selfregister means than DHCP registering without troubles
#when network is scanned recommended to deny selfregister
#So everyhost will be put into binding.
selfregister allow

#Here we put all example options
#option tag
#Subnet_Mask mask in format xx.xx.xx.xx
#Time_Offset from coordinated universal time(UTC)
#Router specifies routers xx.xx.xx.xx yy.yy.yy.yy
#Time_Server specifies servers in order of prefference
#Name_Server specifies servers in order of prefference
#DNS_Server specifies servers in order of prefference
#Ip_Forwarding true/false if forwarding enabled

Option Subnet_Mask 255.255.255.0 
Option Time_Offset +03:00
Option Router 10.4.3.1 10.4.3.254
Option Time_Server 10.4.3.1 10.4.3.23
Option Name_Server 10.4.3.1 10.4.3.22
Option DNS_Server 10.4.3.1 10.4.3.44
Option Log_Server 10.4.3.1 10.4.3.23
Option Cookie_Server 10.4.3.1 10.4.3.23
Option LPR_Server 10.4.3.1 10.4.3.23
Option ResLoc_Server 10.4.3.1 10.4.3.23
Option Domain_Name B3
Option Swap_Server 10.4.3.1
Option Ip_Forwarding true
Option Non_Local_Source_Routing true
Option Policy_Filter 10.4.3.1 255.255.255.0 192.168.200.1 255.255.255.0
Option Max_Datagram 576
Option TTL 128
Option MTU 1500
Option All_Subnets_Are_Local true
Option Broadcast_Address 10.4.3.255


#Just tied bindings, do not distribute this to other clients 
#We look into MAC and name if name is not defined allow
#if name is not equal DENY
#if just mac written, check only mac
#name - name not critical so, if it not presented allow.(Linux users)
#name! - name critical means that ONLY this must be in packet to allow entrance
#bindings put into leases as well
#Take *.*.*.* means just chaotic IP,leases time are surely counted 
#but we can disable selfregister!
#*.*.*.* means whole scope range
#Denybind works if only one address presented in first postiton!!!
#It is called preffered, so we can make dymamic binding and hunting 
#for addresses. 
<binding>
allow host 09:98:44:55:33:22 name! Shadow take 10.4.3.13 *.*.*.*
</binding>
<binding>
allow host 08:33:55:11:54:56 name Nixen take 10.4.3.2
#He often uses linux so it may not support name option and sends zero
</binding>
<binding>
deny host 89:23:32:33:55:22 take *.*.*.*
#renewtime 20000
</binding>

#others just dynamically distributed,if selfregister allowed
#and surely we count leases time.

</Scope>
#Another scope just protected area(stupid example)
<Scope>

ARPMAC random
Range 10.8.3.*
staticip deny
selfregister deny

</Scope>
</Card0>
#Just sample
#the same can be configured for the second card
<Card1>

<Scope>
MAC 00:09:0A:78:12:0B
IP 10.4.3.3
Range 10.4.3.*
</Scope>
</Card1>