> > Good deal. I would really be nice to be able to set a filter to deny my
> > dial-in users from sending packets out that do not come from the ip
> > address they we assigned. I don't see a way to do this with the pm
>
> Hrm, isnt it safe enough to just deny packets that have source addresses
> NOT from the class C that your dial-ups or in? Otherwise youd have to have
> some way to dynamically apply each specific filter to whatever PORT the
> user hacked in I mean dialed in on. COuld radius or choicenet handle this?
Yes, but this still allows them to mess with each other, and still spoof IP
addresses, they simply spoof a different IP, but one assigned to that box,
so now somebody else gets blamed, or your logs reveal that the address
wasn't assigned at the time.
I've just started playing with the filters myself, but as far as I can tell,
there is no way to totally prevent spoofing, unless one knows the IP address
of the port beforehand, then you can simply deny any packet coming from that
interface with a source address != to the assigned address. Perhaps an
extension to the filters, that would allow the PM to insert the appropriate
information, either the single IP for a dialup, or a range of addresses. Or
a port||global option in ComOS that would automatically do that type of
filtering automatically.
If somebody knows of a better way, I'd be happy to hear about it. I want to
initiate this type of filtering, as I'm just a paranoid BOFH.. ;)
____ ____ ____ _ _ ____________________________________________________
| _ \| _ \ / ___| \ | | Warren Vanichuk, Systems Administrator,
| |_) | |_) | | | \| | Powell River Community Network, http://www.prcn.org,
| __/| _ <| |___| |\ | Powell River, British Columbia, Canada
|_| |_| \_\\____|_| \_| ----------------------------------------------------
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.