From: Williams, Quinton L (QWilliams@Central.UH.edu)
Date: Tue Oct 14 2003 - 11:52:26 CDT
Hello,
I am sorry to have to ask this but, what exactly are you doing when you say
"black hole" on switches? If you are filtering and/or redirecting MAC
addresses on a per switch basis doesn't that get a little hard
administratively?
Quinton.
-----Original Message-----
From: John Crowley [mailto:jcrowley@wolf.smith.edu]
Sent: Tuesday, October 14, 2003 11:29 AM
To: netreg@southwestern.edu
Subject: Re: NetReg: banning machines in 1.3rc2
To #1, that was something I thought about myself. It actually would be
easy to do with the code I wrote. I think if you change the if statement
to:
if($_ =~ /$FORM{'user'}/)
instead of
if($_ =~ /$RECORDS{$IP}/)
it will block based on username. I decided that for when we get DMCA
subpoenas it would be better to take the violating machine off instead of
the user.
You are correct on #2 though. However we don't see a lot of MAC spoofing
here. And you still have the potential problem of someone manually
setting a real DNS server manually. Setting up black hole lists on
switches and routers is not a bad idea, and would resolve these issues.
Our network guy here is pretty crunched, so I wanted to be able to get
this restriction setup useable by our help desk.
I've been thinking about an alternate netreg setup actually. We plan on
creating a different netreg server for our faculty and staff. I am
debating giving this system a copy of our zone file, so before you
register you can still get to on campus resources. Off campus DNS would
still resolve to the netreg box.
An alternate idea to this is only allowing our email server to resolve, so
everything but email is restricted, but you will still be able to receive
information on why you are restricted via email.
John Crowley
Unix Systems Administrator
Smith College
> Looks good, John! I wonder how useful this functionality would really
> be though, for a couple of reasons: 1) it's hard to restrict a person,
> which is usually what you really want, and 2) it's easy to get another
> MAC address. To really stop a MAC address, I'd rather create a blackhole
> list in a switch or router, which is effective even if someone manually
> assigns themselves an IP address. What do you think?
>
> -Robert
>
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
>
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:41 CDT