Discussion:
[IPCop-devel] Mac filtering cababilities v3
Daniel Hammer
2004-03-22 20:08:05 UTC
Permalink
Subject: RE: [IPCop-devel] Mac filtering cababilities v2
Date: Mon, 22 Mar 2004 10:49:02 -0800
Maybe we can solve this problem by just subnetting your network to allow
the required connections, and then setup a MAC filter for each IP, that
way when someone takes the old system, the new one won't get the IP
until the NEW guy signs the list, and hands you his MAC. If they try
and fake a MAC to get a valid IP then you have issues, but filtering on
a MAC address would have this issue in IPTables as well, and be much
more shell configuration then just using the IPCop management pages.
Plus creating custom rulesets based on MAC for iptables would be much
more headache to manage then just a subnetted DHCP MAC list with almost
exactly the same drawbacks.
How Many total rooms, or Ethernet connections do you support?
There are 60 rooms and 60 connections
How often is there any change or new lines run to new dorms?
Monthly.
Do you already have a list of the current MAC addresses in use?
Yes.(around 50 users currently)
Trevor
Sounds like you have a good idea, but I don't know how to implement it, have
only heard little about subnetting(But will read, when finished writing).
And I just assumed (doh) that since the Ipcop was in charge of all
connections it would be an easy 'compare to' setup for the mac-adresses.
But if this works it would be great.

Thanx in advance

DH

_________________________________________________________________
Få alle de nye og sjove ikoner med MSN Messenger http://messenger.msn.dk
Trevor Benson
2004-03-22 20:52:03 UTC
Permalink
Post by Daniel Hammer
Subject: RE: [IPCop-devel] Mac filtering cababilities v2
Date: Mon, 22 Mar 2004 10:49:02 -0800
Maybe we can solve this problem by just subnetting your network to allow
the required connections, and then setup a MAC filter for each IP, that
way when someone takes the old system, the new one won't get the IP
until the NEW guy signs the list, and hands you his MAC. If they try
and fake a MAC to get a valid IP then you have issues, but filtering on
a MAC address would have this issue in IPTables as well, and be much
more shell configuration then just using the IPCop management pages.
Plus creating custom rulesets based on MAC for iptables would be much
more headache to manage then just a subnetted DHCP MAC list with almost
exactly the same drawbacks.
How Many total rooms, or Ethernet connections do you support?
There are 60 rooms and 60 connections
60 including IPCop, or excluding? How many total address's will you need in this network? If 60+1 for IPCop is all, then subnetting will be very simple.
Post by Daniel Hammer
How often is there any change or new lines run to new dorms?
Monthly.
Monthly a new user shows up in a room? Or monthly you have a new line run to a dorm, 60 lines becomes 61 or more? If this happens rarely, then changing users on the existing lines is easy.
Post by Daniel Hammer
Do you already have a list of the current MAC addresses in use?
Yes.(around 50 users currently)
Trevor
Sounds like you have a good idea, but I don't know how to implement it,
have
only heard little about subnetting(But will read, when finished writing).
And I just assumed (doh) that since the Ipcop was in charge of all
connections it would be an easy 'compare to' setup for the mac-adresses.
But if this works it would be great.
Login to ipcop as root. Run setup script. Networking, address's, green interface.

Ip address = 192.168.0.1
Subnet = 255.255.255.192

This will create a subnet of 192.168.0.0-192.168.0.63 (64 total address's, 62 usable, so 1 free address with 60 dorms and 1 ipcop)

Now under DHCP in services setup the first address to hand out as 192.168.0.2 and the last address possible to hand out is 192.168.0.62.
Now Add the MAC and the IP in this list of .2-.62 (one for yourself) and then unless they know the MAC, they wont get an IP, and if they choose an IP outside of .2-.62 your IPCop firewall will completely ignore them. So they either have to guess a MAC, or set a static IP, that is being used by someone. This way they get errors about another system's MAC, that is using their IP, and then you have a MAC address for the new person who is stealing service......

Trevor
Post by Daniel Hammer
Thanx in advance
DH
_________________________________________________________________
Få alle de nye og sjove ikoner med MSN Messenger http://messenger.msn.dk
Dave Harry
2004-03-22 21:51:03 UTC
Permalink
Post by Daniel Hammer
Subject: RE: [IPCop-devel] Mac filtering cababilities v2
Date: Mon, 22 Mar 2004 10:49:02 -0800
Maybe we can solve this problem by just subnetting your network to allow
the required connections, and then setup a MAC filter for each IP, that
way when someone takes the old system, the new one won't get the IP
until the NEW guy signs the list, and hands you his MAC. If they try
and fake a MAC to get a valid IP then you have issues, but filtering on
a MAC address would have this issue in IPTables as well, and be much
more shell configuration then just using the IPCop management pages.
Plus creating custom rulesets based on MAC for iptables would be much
more headache to manage then just a subnetted DHCP MAC list with almost
exactly the same drawbacks.
How Many total rooms, or Ethernet connections do you support?
There are 60 rooms and 60 connections
How often is there any change or new lines run to new dorms?
Monthly.
Do you already have a list of the current MAC addresses in use?
Yes.(around 50 users currently)
Trevor
Sounds like you have a good idea, but I don't know how to implement it, have
only heard little about subnetting(But will read, when finished writing).
And I just assumed (doh) that since the Ipcop was in charge of all
connections it would be an easy 'compare to' setup for the mac-adresses.
But if this works it would be great.
Is this of any help?
I have DHCP set to supply IP addresses from 192.168.1.230 to ..239.
IPCop has a rule filter to DROP any access to the web from 192.168.1.192/26.
This means I get the MAC, they get an IP, but no internet until I choose to
create a fixed lease lower then 192.
Some PCs get fixed addresses above 192, but below 230.

--
Dave Harry

Loading...