Hello Lonnie,
I like the CIDR idea!
Up until now I had always had the PC's as fixed IP.
But I didn't think that they could simply change to DHCP to get around my
controls.
(I think I actually have the reverse of what you mentioned)
The workers PC's have fixed IP's and shouldn't be accessing the Internet at all
(unless a director says its OK).
The directors PC's have fixed IP's and can access the Internet (life's unfair!).
Anyone who "brings there own device" (the directors) connected on WiFi and was
in the DHCP pool and it was OK for them to use the Internet - during and out of
office hours.
I'm now starting to think ahead and look at the wider implications of this BYOD
environment....
The difficulty that I have with the current situation is that the WIFi access
points are currently all "open" and use MAC based access control because I
thought this was safer than having to change the password on all the AP's each
month and then tell everyone.
This is fine because when a director buys a new andriod 'phone he complains
that
he can't connect and I add the mac to the list (on all 4 AP's).
The problem comes when visitors want to get WiFi access....
What I'm geting to is:
What do you think of adding Radius to the "router only" AstLinux build?
Then I could install a separate machine as the Internet gateway, authenticate
WiFi through it and drop the mac based access control at the AP's.
(Since my AP's are all WG302's I was thinking of putting openWRT on them
anyway).
All the PC's and WiFi users are anyway on a completely different 192.168.x.x
network from the 'phones and PBX.
Also,
You said :
> I would use the...
> Network tab -> DNS Forwarder & DHCP Server: { Configure DNS Hosts }
> to map the MAC address to IP address via DHCP, so all the 'good-guy' IPs are
predictable and static.
I was never quite sure what this was for.....
Is there any info./documentation on what this is for / what it does?
Perhaps it's worth it's own thread......
Thanks
-Graham-
Lonnie Abelbeck wrote on 15/09/12 01:32:
> Graham,
>
> So you want to define who is allowed, not who is disallowed. One method
> would be to allow the accepted hosts before denying all the rest.
>
> I would use the...
>
> Network tab -> DNS Forwarder & DHCP Server: { Configure DNS Hosts }
>
> to map the MAC address to IP address via DHCP, so all the 'good-guy' IPs are
> predictable and static.
>
> To be cleaver carve out a CIDR that are acceptable, such as:
>
> 192.168.1.64/27 -> 192.168.1.64 - 192.168.1.95
>
> And place by MAC address and DHCP the 'good guys' in that static range to
> make it simpler to specify. Non-static DHCP would go in the default
> 192.168.1.100 - 192.168.1.220 which we assume are the 'bad-guys' unless
> overridden.
>
> Notice: untested code below...
>
> -- /mnt/kd/arno-iptables-firewall/custom-rules --
> # Put any custom (iptables) rules here down below:
> ##################################################
>
> unset IFS
> for shost in 192.168.1.10 192.168.1.11 192.168.1.64/27; do
> echo "[CUSTOM RULE] Allow LAN->EXT for '$shost' traffic from 7:00 pm to
> 7:00 am"
> iptables -A LAN_INET_FORWARD_CHAIN -s $shost -j ACCEPT
> done
>
> echo "[CUSTOM RULE] Deny LAN->EXT for the remaining traffic from 7:00 pm to
> 7:00 am"
> iptables -A LAN_INET_FORWARD_CHAIN -s 0/0 -m time \
> --timestart 00:00:00 --timestop 07:00:00 \
> --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz \
> -j DROP
> iptables -A LAN_INET_FORWARD_CHAIN -s 0/0 -m time \
> --timestart 19:00:00 --timestop 23:59:59 \
> --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz \
> -j DROP
> --
>
> Lonnie
>
> BTW, using the "mac-address-filter" plugin seems like a lot more work and
> block at the LAN interface not the EXT interface.
>
>
> On Sep 14, 2012, at 5:21 PM, Graham S. Jarvis wrote:
>
>> Thanks Lonnie,
>>
>> that's a nice way of blocking _all_ the traffic.
>>
>> But I lied - I don't want to stop _everybody_ getting to the Internet, just
>> those that I say can't. And some of those that I want to allow are in the
>> same
>> DHCP block as those that I want to block.
>> And because this is DHCP I'm never actually sure which one is which.
>>
>> But,
>> is there any way of doing this on MAC addresses?
>> I know these and they don't change.
>> (is this --mac-source $macaddress
>> instead of -s $host ?)
>> If so I just have to
>> for $macaddress in `cat /etc/arno-iptables-firewall/mac-addresses`
>> and I can use the same file as the mac-address-filter.
>> (I'll need a bit more "cut" logic to take care of the format :
>> ma:c_:ad:dr:es:s_(space)ip_.add.res.sxx(space)#some comment string
>>
>>
>> How does that sound?
>> Can anyone do the script?
>>
>> -Graham-
>>
>>
>> Lonnie Abelbeck wrote on 14/09/12 17:54:
>>> Yes, an AIF plugin would be the way to do this.
>>>
>>> An alternative quick and dirty method would be to add something like this
>>> to the AIF custom-rules script:
>>>
>>> -- /mnt/kd/arno-iptables-firewall/custom-rules --
>>> # Put any custom (iptables) rules here down below:
>>> ##################################################
>>>
>>> unset IFS
>>> for shost in 0/0; do
>>> echo "[CUSTOM RULE] Deny LAN->EXT for '$shost' traffic from 7:00 pm to
>>> 7:00 am"
>>> iptables -A LAN_INET_FORWARD_CHAIN -s $shost -m time \
>>> --timestart 00:00:00 --timestop 07:00:00 \
>>> --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz \
>>> -j DROP
>>> iptables -A LAN_INET_FORWARD_CHAIN -s $shost -m time \
>>> --timestart 19:00:00 --timestop 23:59:59 \
>>> --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun --kerneltz \
>>> -j DROP
>>> done
>>> --
>>> This would block *all* traffic from any LAN interface to the outside world
>>> for the times specified.
>>>
>>> Replace 0/0 with a space separated list of LAN IP's or CIDR's for more
>>> refinement.
>>>
>>> Be sure to test, have fun. :-)
>>>
>>> Lonnie
>>>
>>>
>>>
>>> On Sep 14, 2012, at 10:06 AM, David Kerr wrote:
>>>
>>>> Sounds like a great idea for a firewall plugin. Doesn't the adaptive ban
>>>> firewall run a script that wakes up every 90 seconds or so and check for
>>>> bad things? You could create a plugin script like that wakes up every 5
>>>> minutes say, checks for rules to add or remove, does it thing and goes
>>>> back to sleep. GUI interface could be limited to editing a firewall
>>>> plugin conf file. Hardest part is probably designing a syntax for the
>>>> conf file.
>>>>
>>>> David
>>>>
>>>>
>>>> On Fri, Sep 14, 2012 at 10:32 AM, Graham S. Jarvis <gsjar...@pt.lu> wrote:
>>>> Hello All,
>>>>
>>>> I've been working on this for a while and have a very crude system working
>>>> with
>>>> cron job scripts creating various dnsmasq.static files and restarting
>>>> dnsmasq,
>>>> but I think there has to be a better way and one that can be made part of
>>>> the GUI.
>>>>
>>>> There was some discussion (Lonnie) about trying to get something built into
>>>> Arno's firewall but I don't think it went far....
>>>>
>>>> What's needed is an easy way to stop certain PC's on the network getting
>>>> out to
>>>> the Internet at certain times of the day/week/month but to still allow them
>>>> access to local storage/print services.
>>>>
>>>> All ideas gratefully received!
>>>>
>>>> -Graham-
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Got visibility?
>>>> Most devs has no idea what their production app looks like.
>>>> Find out how fast your code is with AppDynamics Lite.
>>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to
>>>> pay...@krisk.org.
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Got visibility?
>>>> Most devs has no idea what their production app looks like.
>>>> Find out how fast your code is with AppDynamics Lite.
>>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html_______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to
>>>> pay...@krisk.org.
>>>
>>> ------------------------------------------------------------------------------
>>> Got visibility?
>>> Most devs has no idea what their production app looks like.
>>> Find out how fast your code is with AppDynamics Lite.
>>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to
>>> pay...@krisk.org.
>>>
>> ------------------------------------------------------------------------------
>> Got visibility?
>> Most devs has no idea what their production app looks like.
>> Find out how fast your code is with AppDynamics Lite.
>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> pay...@krisk.org.
>>
>>
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
