[ previous ] [ next ] [ threads ]
 
 From:  "Quark IT - Hilton Travis" <hilton at quarkit dot com dot au>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] DHCP Server request
 Date:  Wed, 23 Feb 2005 05:54:05 +1000
Hi Jesse,

DAMN I hate the reply to the poster not to the list, considering it was
the LIST that I received the email from in the first place.  :(

> -----Original Message-----
> From: Jesse Guardiani [mailto:jesse at wingnet dot net] 
> Sent: Tuesday, 22 February 2005 00:36
> 
> On Monday 21 February 2005 2:52 am, Quark IT - Hilton Travis wrote:
> > Hi All,
> > 
> > OK.  So I have now configured Captive Portal for the users 
> > on that network.  Works fine as far as captive portal 
> > issues go - all blocked until they agree, and I can 
> > configure certain users to bypass the captive portal.  
> > Nice.
> > 
> > Unfortunately, this doesn't address my first concern - 
> the ability to block certain (or all unspecified) MAC 
> addresses from gaining access to the Internet.
> 
> Actually, it should. That's what the captive portal does. 
> I don't understand what you mean here.

Nope, it doesn't.  What this achieves is having that user get a "Captive
Portal" web page that they then have to agree to to continue on to the
Internet.  It doesn't disable their Internet access.

However, I suppose I could just not have a "Continue" option on that
page, however this would mean that ALL users then need to be added to
the Pass-Thru list if they were to need Internet access and they'd never
have to agree to the Captive Portal terms and conditions.

> > Unfortunately, it also doesn't address my second concern 
> > - the ability to have the MAC addresses in a list and be 
> > able to turn them on/off with a checkbox.  Even in Captive 
> > Portal when a MAC is deleted from the "Pass-through MAC" 
> > area, it is deleted, not just disabled.
> 
> Fair enough. That would be a nice feature.
> 
> > So, what I'd like to see for the Captive Portal section 
> > is the following:
> > 
> > 1. The ability to just disable a particular MAC/IP from 
> > being on the "Pass-Thru" or "Block" list, not having to 
> > delete it totally - somewhat like in the Firewall Rules 
> > section where a rule can be configured but disabled.
> > 
> > 2. The ability to block a particular MAC address in a 
> > similar way to "Pass-through MAC", but called something 
> > like "Blocked MAC".
> > 
> > 3. Same goes with IP address as well as MAC address.
> > 
> > 4. What would be really nice is a checkbox in the 
> > "Blocked" sections for "Block all MACs/IPs not listed 
> > in the Pass-Thru Section" which would be a really, 
> > really quick and dirty "close" of the network to all 
> > non-admin (or whoever's allowed to pass thru) users.
> > 
> > Unfortunately, many of the tennants aren't sheep, so 
> > they can configure IPs and MACs to get around simple 
> > blocks.  Hence why the "Blocked MACs" and "Blocked 
> > IPs" would be nice.
> 
> I think requiring some sort of PPPoE tunnel would be the only way to
> truely lock down an interface from unauthorized use. MACs and IPs can
> always be forged.

Yes, they can be forged but many users wouldn't think of this.  I'm
seriously considering installing a squid box in this location so users
need to auth to this.  That'd stop them.  But I'm sure a firewall could
be used to easily block outbound access - isn't that what a firewall's
purpose is - to stop access from one side to the other side by
unauthorized devices?

> > --
> > 
> > Regards,
> > 
> > Hilton Travis                          Phone: +61 (0)7 3344 3889
> > (Brisbane, Australia)                  Phone: +61 (0)419 792 394
> > Manager, Quark IT                      http://www.quarkit.com.au
> >          Quark AudioVisual             http://www.quarkav.net
> > 
> > http://www.threatcode.com/ <-- its now time to shame poor coders 
> > into writing code that is acceptable for use on today's networks
> > 
> > War doesn't determine who is right.  War determines who is left.
> > 
> > This document and any attachments are for the intended recipient 
> >   only.  It may contain confidential, privileged or copyright 
> >      material which must not be disclosed or distributed. 
> > 
> > > -----Original Message-----
> > > From: Chris Dickens [mailto:chris at object dash zone dot net] 
> > > Sent: Saturday, 19 February 2005 06:11
> > > 
> > > Jesse:
> > > 
> > > Welcome to the wonderful world of corporate sheep.  99% 
> > > of people have no clue what a static IP is or how to 
> > > figure out one to code in, and this level of 
> > > obfuscation sadly works - but not against you or I. :)
> > > 
> > > --Chris
> > > 
> > > -----Original Message-----
> > > From: Jesse Guardiani [mailto:jesse at wingnet dot net] 
> > > Sent: Friday, February 18, 2005 3:05 PM
> > > 
> > > 
> > > On Friday 18 February 2005 2:27 pm, Quark IT - Hilton 
> Travis wrote:
> > > > Hi All,
> > > > 
> > > > I have a request for an additional feature in the "DHCP 
> > > > Server" page.  Currently, it is easy to add MAC 
> > > > addresses for static mappings.  It is also easy to 
> > > > remove them.  I have a client who leases "space" on 
> > > > their Internet pipe to building tenants, and if these 
> > > > tenants have not paid their bill in time, they need to 
> > > > have Internet access blocked.  Currently, it is 
> > > > required to have a list of the MAC addresses of 
> > > > registered machines so that once the client has paid 
> > > > (late) the list is consulted to re-add them to the list 
> > > > of allowed MACs.
> > > > 
> > > > What would be nice is a "Disable this address" option 
> > > > in DHCP Server just as there is in the Firewall rules 
> > > > that would not delete that MAC address from the list, 
> > > > but not allow it to access the Internet - allowing a 
> > > > simple checkbox operation to re-add this MAC address to 
> > > > the allowed list.
> > > > 
> > > > It would make this feature much more usable in 
> > > > situations like this.
> > > 
> > > AFAIK, disabling DHCP won't actually prevent the user 
> > > from getting on the internet. It'll just prevent them 
> > > from getting an IP. It's easy to setup a static IP, 
> > > even under Windows 98, so why don't you use Captive 
> > > Portal instead? Then you can add your MAC addresses 
> > > and delete them in the way you describe, along with 
> > > popping up a message stating that the tenant's bill
> > > might be due if their MAC isn't found...
> > > 
> > > -- 
> > > Jesse Guardiani, Systems Administrator
> > > WingNET Internet Services,
> > > P.O. Box 2605 // Cleveland, TN 37320-2605
> > > 423-559-LINK (v)  423-559-5145 (f)
> > > http://www.wingnet.net
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
> > 
> > 
> 
> -- 
> Jesse Guardiani, Systems Administrator
> WingNET Internet Services,
> P.O. Box 2605 // Cleveland, TN 37320-2605
> 423-559-LINK (v)  423-559-5145 (f)
> http://www.wingnet.net
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
> 
>