Generally it is possible, but only if you trust your visitors no to tamper
with the network settings and try to attack you. It should protect you from
most viruses and trojans.
For the first part, you need to create two subnets, one "DMZ" and one
"internal". In Bering, you can do that by adding a second ip address to your
internal interface in /etc/network/interfaces:
iface eth0 inet static
address 10.4.5.1
masklen 24
up ip addr add 10.5.6.1/24 dev eth0 label eth0:dmz
Now you can address the "DMZ" interface with eth0:dmz. Now you have to
configure the DHCP server that it hands out addresses in the 10.4.5.0/24
subnet with gateway 10.4.5.1 for known MACs and in the other subnet for
others.
As others pointed out, this does not protect you if someone really tries to
attack you. If they are on your LAN, they can talk directly to your
computers on an Ethernet basis and grab the routers IP, do some ARP spoofing
and so on. Therefore, Ray's suggestion does not bring real security either,
but loads of configuration overhead.
Therefore, your second question (forbidding static IPs) doesn't bring any
security either. You can try and filter on MAC addresses, but that's useless
unless it makes you feel better.
Regards
Alex
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Eric House
> Sent: Friday, December 12, 2003 7:10 PM
> To: leaf
> Subject: [leaf-user] dmz possible within same physical network?
>
>
> I'm setting up LEAF (Bering uClib 2.0) for a new condo with
> in-the-wall ethernet and lots of tech-savvy visitors some of whom run
> virus hosts from Redmond. I want vistors to be able to plug their
> laptops into any jack in the wall, including jacks that may be used by
> members of the household. But I don't want to allow them the same
> priveleges as "known" hosts, esp. access to other hosts on the LAN.
>
> Basically, I want to offer DHCP leases on eth1, and if the MAC address
> is unknown to put it in an effective dmz that's only allowed access to
> the WAN via eth0. This would be trivial to do if I had an eth2, but
> there's only one jack at each location so I can't just add a new NIC.
>
> I'd also like to refuse connections to static IP addresses that happen
> to be in the right range so that folks have to go through dhcp.
>
> Is this possible using Bering? Any suggestions where to start reading
> on how to set it up? The hardware in this case is a Soekris box (boot
> medium is a CF card), so I'm not limited to a floppy-based distro; but
> I use Bering everywhere else and want to keep things compatible.
>
> Thanks,
>
> --Eric House
> --
> ******************************************************************
> ************
> * From the desktop of: Eric House, [EMAIL PROTECTED]
> *
> * Crosswords 4.0 for PalmOS is out!:
<http://www.peak.org/~fixin/xwords> *
****************************************************************************
**
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
