Ritesh Raj Sarraf wrote:
On Tue, 29 Jun 2004, John Summerfield wrote:
You didn't say whose machines they are nor what OS they're running. If they're yours you can lock them down so the users can't do those things.I think, here the issue isn't what OS they'll be running. It's okay if they run TCP.
If yours, you are entitled to configure them (indeed, you must). How you do it depends on the OS.
You can run arpwatchd which will email ou whenever a new host arrives on your LAN and whenever anyone changes IP.That's a good option. But it'll be too late if they do such activity at night (when I'm not at office) and use it till my next working day at office.
So learn what the mail looks like and write a script to do something sensible about it.
You can configure DHCPD to serve out IP addresses, require all your clients to use DHCP. In your configuration you can hard-code IP addresses for everyone who's authorised to connect and use a dynamic range for everyone else. You may choose to not route them outside the LAN, give them IP addresses on a different subnet (they're all on the same wire) and generally be devious, even to regularly changing the allowed IP addresses!
I hadn't thought of DHCPD. I'll give a look at it. Thank you.
Google for pebble and nocat. They're wireless kit, but probably useful to you to. Their purpose is to provide public Internet access and require everyone to be authenticated. In a free (gratis) environment, people can decline authentication and be authenticated as anonymous, with different access rights.
From what you have said, that could suit you very well. Especially if you (want to) allow people to bring their wirelss laptops.
Another gentleman on the debian-isp list provided a better suggestion (as I think). Restricting my customers with MAC address. I think this would be enough for my requirement.
iptables -P FORWARD DROP
iptables -A FORWARD -s xx:xx:xx:xx -o eth0 -j MASQUERADE
I didn't suggest that because it's trivial to fake. ifconfig eth0 hw fe:ee:fe:fe:ee
man ifconfig # for more
You do need to know other acceptable MAC addresses, of course.
Besides, hardwiring IP addresses in DHCP uses the MAC address.
--
Cheers John
-- spambait [EMAIL PROTECTED] [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
