[Server-devel] server ecurity
Henry Vélez Molina
henry.laptop at gmail.com
Mon Sep 21 23:14:20 EDT 2009
El 21 de septiembre de 2009 15:22, Jerry Vonau <jvonau at shaw.ca> escribió:
> On Mon, 2009-09-21 at 15:41 +0200, Martin Langhoff wrote:
> > 2009/9/21 Jerry Vonau <jvonau at shaw.ca>:
> > > Don't hand out the gateway address from the dhcp server? Limit access
> to
> > > the net based on the mac addresses of OXs that are known to the XS
> > > maybe? Cron script to change the iptables rules outside of school hours
> > > maybe? Tell us what you would like to accomplish, the ideas will come.
> >
> > Not yet completely clear in my head, but along the lines of pulling
> > the MAC address when users login successfully to Moodle (which can
> > only happen after registration). Those MAC addresses are then
> > whitelisted with iptables, or the proxy or both.
> >
> > There are a few curly aspects that would need to be resolved there,
> >
> > - it has to allow access to services _on the XS_ to all IPs
> > - it has to work with and without proxy
> > - we can feed rules to iptables quickly, but our current proxy is
> > *very* slow to restart
> > - other issues I haven't thought about yet...
> >
> Your proxy is slow to re-load the iptables rule-set? How many lines?
>
> I was thinking of something like NoCat: http://nocat.net/ but without
> the splash-screen, we can just use the backend from NoCat
> (/NoCatAuth-0.82/libexec/iptables/*) to setup the firewall, then hook
> into Moodle's login to just call access.fw with the need info.
I think that this solution could be good if it is transparent for the XO.
I will work in NoCatNet.
¿wheres is the moodle file with the XO´s registration?
>
> > Having Moodle & proxy knowing the MAC-IP-Username mapping does give us
> > some control down the road in terms of logging too.
> >
> > This is, btw, fully post-dhcp. We would read the current leases DB
> > from dhcp to map MAC-to-ip, but I want to avoid tricks that involve
> > dhcp because they usually depend on very short leases on the
> > "restricted" side, which means markedly increased dhcp traffic, which
> > in turn is broadcast. And we got to minimise broadcast as it's murder
> > on 802.11a/b/g/s..
> >
> > Jerry, do you think these are reasonable?
> >
>
> Very,
>
> Jerry
>
>
--
Henry Vélez Molina
Administrador de red OLPC
Fundación MArina Orth
Tel :341 23 59
Móvil: 312 769 0169
www.fundacionmarinaorth.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/server-devel/attachments/20090921/0c49376a/attachment.htm
More information about the Server-devel
mailing list