As mentioned, deny all, and allow only the few, so, you only allow those IP's from your IP address block to send any traffic internally, not just exit the network, any traffic, this is easiest in a small network, but, still functional in larger networks, with a greater deal of pain for sure. Or as Paul suggested, do the blocking /allowing in a proper proxy. Same deal different ACL is all.
Folks tend to think of a firewall as merely a perimiter device, but, they can well be employed to deal with the inside network as well, especailly easy with a few distributed intel systems running a simple packet filter, or even iptables. IDS' can and should be employed the same way. It's really long since time folks mind not only the outer edges of their networks, but the flow inside and from the inside out. This is how one limits the effects of devastating resource costs in repairing code red and nimda infestations, and the embarrasment of passing such infestations to others you daily share e-mail and other files and data with. Thanks, Ron DuFresne On Tue, 12 Feb 2002, John Steniger wrote: > There are a ton of technical solutions, but unfortunately determined users > will find ways around a majority of them. You'll find eventually that > you'll have to get somebody (perhaps the users' managers) involved to > establish some sort of policy with some clear consequences. Managers will > listen when you translate the time wasted with frivolous web surfing into > dollars lost. > > John J. Steniger > Network and Security Manager > Familymeds, Inc. > > > -----Original Message----- > > From: Marc DVer [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, February 12, 2002 3:12 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Restricting User from Changing IP > > > > > > I'm no expert, but as has been stated here, MAC addresses can > > be changed > > very easily. > > > > If this were my situation, and if I were in a windows > > enviorment, I would > > lock down the computers using something like Fortres (which I > > actually use, > > by the way). Just lock down the desktop and users can't > > change the ip. > > > > Marc DVer > > Head of MIS > > White Eagle Laboratories, Inc. > > > > ----- Original Message ----- > > From: "Mike Fetherston" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, February 12, 2002 2:46 PM > > Subject: Re: Restricting User from Changing IP > > > > > > > or if no policies are in place restricting the users > > machine, and there > > > won't be any.. ever... you can limit to IP address and MAC. > > i.e. set a > > rule > > > that states specifically both MAC's and IP's, have your > > default policy to > > > DENY (of course). > > > > > > Mike. > > > > > > ----- Original Message ----- > > > From: "Noonan, Wesley" <[EMAIL PROTECTED]> > > > To: "'Nick'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > Sent: Tuesday, February 12, 2002 2:40 PM > > > Subject: RE: Restricting User from Changing IP > > > > > > > > > > Build your environment so that there isn't a way around?? > > Seriously. > > > > > > > > What OS are the users using? If they aren't > > administrators on Windows, I > > > > don't think they can change their IP addresses. Sounds > > like it is time > > to > > > > start revoking privileges... > > > > > > > > Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS > > > > Senior QA Rep. > > > > BMC Software, Inc. > > > > (713) 918-2412 > > > > [EMAIL PROTECTED] > > > > http://www.bmc.com > > > > > > > > > > > > -----Original Message----- > > > > From: Nick [mailto:[EMAIL PROTECTED]] > > > > Sent: Tuesday, February 12, 2002 13:32 > > > > To: [EMAIL PROTECTED] > > > > Subject: Restricting User from Changing IP > > > > > > > > I got some nasty users behind proxying / filtering server,.. > > > > sometimes they change their ip address to get out from > > the restrictions. > > > > > > > > What should I do to prevent this ? ( I use iptables ) > > > > > > > > TIA > > > > _______________________________________________ > > > > Firewalls mailing list > > > > [EMAIL PROTECTED] > > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > _______________________________________________ > > > > Firewalls mailing list > > > > [EMAIL PROTECTED] > > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > _______________________________________________ > > > Firewalls mailing list > > > [EMAIL PROTECTED] > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
