At 02:38 PM 3/7/01 -0500, [EMAIL PROTECTED] wrote:
>If you have a linux box setup using IP Masq, is there any way to
>limit which computers IPs are masq'd by their MAC addresses?
>
>Situation: You are running a lab with a DHCP/BOOTP server setup
>giving out IP's based on MAC addresses. How do you keep people from
>accessing the internet if they simply setup an IP that is not being
>used on their computer?
By default, nothing.
IMHO this sort of thing was not handled very well by the older packet
filtering tools (ipfwadm and ipchains) and was a real problem for creating
reasonably secure network environments. In the past I would have suggested
that you look at some seperate hardware, now however we have kernel 2.4
with iptables. All you need to do is set your DHCP server and router
(easiest if they're the same box) up to explicitly allow packets from all
"known" MAC addresses on your intranet, and drop (and log) packets coming
from your intranet from unfamiliar MAC addresses (if you also have decent
log auditing software installed then the detection of a new forign MAC
address can also result in your sysadmin getting a paged or e-mailed).
The only problem with this is that up to version 7.0 Redhat still ships
with kernel 2.2 and the older, less-powerful ipchains filtering tool.
However I have had no problems with just updating a few packages to satisfy
version requirements for the kernel and then compiling and running kernel
2.4.1 on a RH7 system (2.4.2 appears to have broken loopback devices, which
I actually use, if you don't then you may want to use 2.4.2 instead of 2.4.1).
RH7.1 will (or does if it's already out) ship with some kind of 2.4 kernel
and iptables installed by default I expect.
--
"There are two major products that come out of Berkeley: LSD and UNIX. We
don't believe this to be a coincidence." -- Jeremy Anderson
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
