[Server-devel] server ecurity
Martin Langhoff
martin.langhoff at gmail.com
Mon Sep 21 09:41:04 EDT 2009
2009/9/21 Jerry Vonau <jvonau at shaw.ca>:
> Don't hand out the gateway address from the dhcp server? Limit access to
> the net based on the mac addresses of OXs that are known to the XS
> maybe? Cron script to change the iptables rules outside of school hours
> maybe? Tell us what you would like to accomplish, the ideas will come.
Not yet completely clear in my head, but along the lines of pulling
the MAC address when users login successfully to Moodle (which can
only happen after registration). Those MAC addresses are then
whitelisted with iptables, or the proxy or both.
There are a few curly aspects that would need to be resolved there,
- it has to allow access to services _on the XS_ to all IPs
- it has to work with and without proxy
- we can feed rules to iptables quickly, but our current proxy is
*very* slow to restart
- other issues I haven't thought about yet...
Having Moodle & proxy knowing the MAC-IP-Username mapping does give us
some control down the road in terms of logging too.
This is, btw, fully post-dhcp. We would read the current leases DB
from dhcp to map MAC-to-ip, but I want to avoid tricks that involve
dhcp because they usually depend on very short leases on the
"restricted" side, which means markedly increased dhcp traffic, which
in turn is broadcast. And we got to minimise broadcast as it's murder
on 802.11a/b/g/s..
Jerry, do you think these are reasonable?
cheers.
m
--
martin.langhoff at gmail.com
martin at laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff
More information about the Server-devel
mailing list