[NTLUG:Discuss] How do you secure a LAN?
Richard Geoffrion
ntlug at rain4us.net
Tue Dec 31 08:46:25 CST 2002
Bug Hunter <bughuntr at one.ctelcom.net> wrote:
<snip>
> Note that you would have to create 255 entries that assign ip's to a
> real machine's nic card to keep an enterprising person from setting
> up a static ip without telling you. You want the response to
> "unassigned" ip addresses to be "IP address is already in use" when
> the user tries to get out on the network with a rogue machine.
>
I've always been able to ignore the DHCP scope, configure a static ip
address (that happens to be in the dhcp scope) on a workstation and get out
on the internet.
So......that leads me to believe that this 'control' issue will have to be
done from ipchains/iptables. (for TRUE control)
and yes, either way it's a pain, not to mention a managment nightmare.
so now I'm envisioning a web page/script that allows the user to get a
dhcp'ed address while also submitting their mac address to a flat file
somewhere that is read by rc.firewall (or whatever) when creating the
outbound rules.
-Richard
More information about the Discuss
mailing list