[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] DHCP Server request
 Date:  Mon, 21 Feb 2005 09:36:13 -0500 
On Monday 21 February 2005 2:52 am, Quark IT - Hilton Travis wrote:
> Hi All,
> 
> OK.  So I have now configured Captive Portal for the users on that
> network.  Works fine as far as captive portal issues go - all blocked
> until they agree, and I can configure certain users to bypass the
> captive portal.  Nice.
> 
> Unfortunately, this doesn't address my first concern - the ability to
> block certain (or all unspecified) MAC addresses from gaining access to
> the Internet.

Actually, it should. That's what the captive portal does. I don't understand
what you mean here.


> Unfortunately, it also doesn't address my second concern - the ability
> to have the MAC addresses in a list and be able to turn them on/off with
> a checkbox.  Even in Captive Portal when a MAC is deleted from the
> "Pass-through MAC" area, it is deleted, not just disabled.

Fair enough. That would be a nice feature.


> So, what I'd like to see for the Captive Portal section is the
> following:
> 
> 1. The ability to just disable a particular MAC/IP from being on the
> "Pass-Thru" or "Block" list, not having to delete it totally - somewhat
> like in the Firewall Rules section where a rule can be configured but
> disabled.
> 
> 2. The ability to block a particular MAC address in a similar way to
> "Pass-through MAC", but called something like "Blocked MAC".
> 
> 3. Same goes with IP address as well as MAC address.
> 
> 4. What would be really nice is a checkbox in the "Blocked" sections for
> "Block all MACs/IPs not listed in the Pass-Thru Section" which would be
> a really, really quick and dirty "close" of the network to all non-admin
> (or whoever's allowed to pass thru) users.
> 
> Unfortunately, many of the tennants aren't sheep, so they can configure
> IPs and MACs to get around simple blocks.  Hence why the "Blocked MACs"
> and "Blocked IPs" would be nice.

I think requiring some sort of PPPoE tunnel would be the only way to
truely lock down an interface from unauthorized use. MACs and IPs can
always be forged.


> --
> 
> Regards,
> 
> Hilton Travis                          Phone: +61 (0)7 3344 3889
> (Brisbane, Australia)                  Phone: +61 (0)419 792 394
> Manager, Quark IT                      http://www.quarkit.com.au
>          Quark AudioVisual             http://www.quarkav.net
> 
> http://www.threatcode.com/ <-- its now time to shame poor coders 
> into writing code that is acceptable for use on today's networks
> 
> War doesn't determine who is right.  War determines who is left.
> 
> This document and any attachments are for the intended recipient 
>   only.  It may contain confidential, privileged or copyright 
>      material which must not be disclosed or distributed. 
> 
> > -----Original Message-----
> > From: Chris Dickens [mailto:chris at object dash zone dot net] 
> > Sent: Saturday, 19 February 2005 06:11
> > 
> > Jesse:
> > 
> > Welcome to the wonderful world of corporate sheep.  99% 
> > of people have no clue what a static IP is or how to 
> > figure out one to code in, and this level of 
> > obfuscation sadly works - but not against you or I. :)
> > 
> > --Chris
> > 
> > -----Original Message-----
> > From: Jesse Guardiani [mailto:jesse at wingnet dot net] 
> > Sent: Friday, February 18, 2005 3:05 PM
> > 
> > 
> > On Friday 18 February 2005 2:27 pm, Quark IT - Hilton Travis wrote:
> > > Hi All,
> > > 
> > > I have a request for an additional feature in the "DHCP 
> > > Server" page.  Currently, it is easy to add MAC 
> > > addresses for static mappings.  It is also easy to 
> > > remove them.  I have a client who leases "space" on 
> > > their Internet pipe to building tenants, and if these 
> > > tenants have not paid their bill in time, they need to 
> > > have Internet access blocked.  Currently, it is 
> > > required to have a list of the MAC addresses of 
> > > registered machines so that once the client has paid 
> > > (late) the list is consulted to re-add them to the list 
> > > of allowed MACs.
> > > 
> > > What would be nice is a "Disable this address" option 
> > > in DHCP Server just as there is in the Firewall rules 
> > > that would not delete that MAC address from the list, 
> > > but not allow it to access the Internet - allowing a 
> > > simple checkbox operation to re-add this MAC address to 
> > > the allowed list.
> > > 
> > > It would make this feature much more usable in 
> > > situations like this.
> > 
> > AFAIK, disabling DHCP won't actually prevent the user 
> > from getting on the internet. It'll just prevent them 
> > from getting an IP. It's easy to setup a static IP, 
> > even under Windows 98, so why don't you use Captive 
> > Portal instead? Then you can add your MAC addresses 
> > and delete them in the way you describe, along with 
> > popping up a message stating that the tenant's bill
> > might be due if their MAC isn't found...
> > 
> > -- 
> > Jesse Guardiani, Systems Administrator
> > WingNET Internet Services,
> > P.O. Box 2605 // Cleveland, TN 37320-2605
> > 423-559-LINK (v)  423-559-5145 (f)
> > http://www.wingnet.net
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
> 
> 

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net