At 02:54 PM 10/29/02 +0100, Sanyarin wrote:
Possible? Yes. Any general-purpose Linux system (e.g., Red Hat, Debian, SuSE) can also function as a router.[...] - would it be possible to use the same machine that is running the router as a 'public' (for my intranet) place to leave e.g. patches, driver updates or other useful files on?
A good idea? Not really. The more the router does, the more vulnerable it is to attack. Since your comments below suggest that you are concerned about unauthorized use from the internal side, this is a concern even if you successfully make the services available only to "intranet" hosts. In any case, specialized distros like LEAF are not ideal for multi-purpose hosts.
"Traffic" is not well defined here. From what you write below, I think you want each system (or, possibly, each user personally) to authenticate itself (him/herself) periodically to the router. IP address is worthless for this, of course. MAC-address authentication is better, but still spoofable. PPPoE gives you the ability to require userid/password authentication, but at the price of a hefty performance hit.- is it possible to require an authentication for outgoing traffic at a rate of, let's say, once per day?
I can't think of anything off the shelf that will do the sort of authentication you want. One could adapt something (for example, some SMTP servers are set up to require POP userid/password authentication before accepting outgoing mail from a host; I have in mind a similar capability for a firewall ruleset), but it would be a lot of work. The simplest solution would require each LAN host to run a daemon that responds to periodic authorization queries, using either good encryption or some sort of challenge-response exchange that varies over time, and that raises the obvious problem that you need to decide what OSs you will support.
Or, you might require each user to open an ssh connection to the router (or to some separate, authenticating host) before the firewall rulset will allow traffic from that IP address to be routed. This is not off-the-shelf either, but all the implementation trickiness occurs at the router end; the client hosts just need to be able to run an ssh client.
Were I confronted with this requirement, I'd try an approach something like this:
1. Require all systems to use DHCP leasing and register their MAC addresses for use in DHCP assignment.
2. Use ipchains/iptables to restrict Internet access to the subset of LAN IP addresses that are registered in step 1.
3. Use hardware controls to limit the physical access points that are active to the rooms that have registered in step 1.
You can do better than this if you use a switch that allows head-end restriction of what IP addresses (or MAC addresses; I'm a bit hazy on how this works) can connect to each port, but that's not a Linux or LEAF solution, so I, at least, cannot help much with the details.
Trying to implement this sort of restriction imposes some support headaches, in that even honest users change out their computers, hence their MAC addresses, or use multiple computers, and will be inconvenienced by the need to update their registrations. So you'll need a way to make updates fairly promptly. And it is far from perfect; you are still vulnerable to MAC-address spoofing.
Finally, please remember that a router can control only routed traffic. If your concerns are realistic, you need to worry about LAN-side attacks, not just misuse of the Internet connection. Every system on the LAN needs to be protected somehow from other LAN systems. There are ways to do this too, but the ones I can think of are expensive and/or are not Linux-based solutions (at least the Linux solution I can think of does not scale well to a dormitory).
Sorry I cannot offer definitive answers, just some speculation. In any case, don't take a negative response as any real assurance that what you want doesn't exist someplace; it really just means I do not know of an off-the-shelf solution. Possibly someone else does and will educate both of us.Feel free to reply with a definitive 'no'/'yes, rtfm!' at this point, although I would appreciate any hint on where to find the 'fine manual' on that.
Those asking 'why the hell do you want to?' may read on.My scenario is this: I'm living in a students dormitory, and we recently got equipped with a 100Mbps LAN. Shortly, we'll also get a 2Mbps internet link, requiring a router. I want to have a firewall in place, would like to have the aforementioned public directorys available and additionally, need a way to reliably identify the users, because the management of the dormitory wants to be able to track down possible misuse. Our ISP could only track IP and (possibly) MAC adresses, but I think that both are not reliable enough in case official investigations should occur (or are they?). After all, I would like to save all the other users from having their computers searched or seized, just because some stupid amateur believes he will not get caught. Please tell me if this could work (and perhaps give me a brief hint?), or suggest a better solution under the given circumstances. Thanks in advance to you all,
-- -------------------------------------------"Never tell me the odds!"-------- Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] ------------------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
