[Server-devel] server ecurity
Jerry Vonau
jvonau at shaw.ca
Mon Sep 21 16:22:15 EDT 2009
On Mon, 2009-09-21 at 15:41 +0200, Martin Langhoff wrote:
> 2009/9/21 Jerry Vonau <jvonau at shaw.ca>:
> > Don't hand out the gateway address from the dhcp server? Limit access to
> > the net based on the mac addresses of OXs that are known to the XS
> > maybe? Cron script to change the iptables rules outside of school hours
> > maybe? Tell us what you would like to accomplish, the ideas will come.
>
> Not yet completely clear in my head, but along the lines of pulling
> the MAC address when users login successfully to Moodle (which can
> only happen after registration). Those MAC addresses are then
> whitelisted with iptables, or the proxy or both.
>
> There are a few curly aspects that would need to be resolved there,
>
> - it has to allow access to services _on the XS_ to all IPs
> - it has to work with and without proxy
> - we can feed rules to iptables quickly, but our current proxy is
> *very* slow to restart
> - other issues I haven't thought about yet...
>
Your proxy is slow to re-load the iptables rule-set? How many lines?
I was thinking of something like NoCat: http://nocat.net/ but without
the splash-screen, we can just use the backend from NoCat
(/NoCatAuth-0.82/libexec/iptables/*) to setup the firewall, then hook
into Moodle's login to just call access.fw with the need info.
> Having Moodle & proxy knowing the MAC-IP-Username mapping does give us
> some control down the road in terms of logging too.
>
> This is, btw, fully post-dhcp. We would read the current leases DB
> from dhcp to map MAC-to-ip, but I want to avoid tricks that involve
> dhcp because they usually depend on very short leases on the
> "restricted" side, which means markedly increased dhcp traffic, which
> in turn is broadcast. And we got to minimise broadcast as it's murder
> on 802.11a/b/g/s..
>
> Jerry, do you think these are reasonable?
>
Very,
Jerry
More information about the Server-devel
mailing list