<br><br><div class="gmail_quote">El 21 de septiembre de 2009 15:22, Jerry Vonau <span dir="ltr"><<a href="mailto:jvonau@shaw.ca">jvonau@shaw.ca</a>></span> escribió:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Mon, 2009-09-21 at 15:41 +0200, Martin Langhoff wrote:<br>
> 2009/9/21 Jerry Vonau <<a href="mailto:jvonau@shaw.ca">jvonau@shaw.ca</a>>:<br>
> > Don't hand out the gateway address from the dhcp server? Limit access to<br>
> > the net based on the mac addresses of OXs that are known to the XS<br>
> > maybe? Cron script to change the iptables rules outside of school hours<br>
> > maybe? Tell us what you would like to accomplish, the ideas will come.<br>
><br>
> Not yet completely clear in my head, but along the lines of pulling<br>
> the MAC address when users login successfully to Moodle (which can<br>
> only happen after registration). Those MAC addresses are then<br>
> whitelisted with iptables, or the proxy or both.<br>
><br>
> There are a few curly aspects that would need to be resolved there,<br>
><br>
> - it has to allow access to services _on the XS_ to all IPs<br>
> - it has to work with and without proxy<br>
> - we can feed rules to iptables quickly, but our current proxy is<br>
> *very* slow to restart<br>
> - other issues I haven't thought about yet...<br>
><br>
</div>Your proxy is slow to re-load the iptables rule-set? How many lines?<br>
<br>
I was thinking of something like NoCat: <a href="http://nocat.net/" target="_blank">http://nocat.net/</a> but without<br>
the splash-screen, we can just use the backend from NoCat<br>
(/NoCatAuth-0.82/libexec/iptables/*) to setup the firewall, then hook<br>
into Moodle's login to just call access.fw with the need info.</blockquote><div><div class="im"><br></div>I think that this solution could be good if it is transparent for the XO.<br>I will work in NoCatNet. <br>¿wheres is the moodle file with the XO´s registration?</div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">
<br>
> Having Moodle & proxy knowing the MAC-IP-Username mapping does give us<br>
> some control down the road in terms of logging too.<br>
><br>
> This is, btw, fully post-dhcp. We would read the current leases DB<br>
> from dhcp to map MAC-to-ip, but I want to avoid tricks that involve<br>
> dhcp because they usually depend on very short leases on the<br>
> "restricted" side, which means markedly increased dhcp traffic, which<br>
> in turn is broadcast. And we got to minimise broadcast as it's murder<br>
> on 802.11a/b/g/s..<br>
><br>
> Jerry, do you think these are reasonable?<br>
><br>
<br>
</div>Very,<br>
<font color="#888888"><br>
Jerry<br>
<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Henry Vélez Molina<br>Administrador de red OLPC<br>Fundación MArina Orth<br>Tel :341 23 59<br>Móvil: 312 769 0169<br><a href="http://www.fundacionmarinaorth.org">www.fundacionmarinaorth.org</a><br>