[Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the
lan
richardvoigt at gmail.com
richardvoigt at gmail.com
Tue Aug 26 21:26:49 BST 2008
I meant for this to go to the list, but reply-to-all didn't do it, so
here's a resend.
---------- Forwarded message ----------
From: richardvoigt at gmail.com <richardvoigt at gmail.com>
Date: Tue, Aug 26, 2008 at 3:25 PM
Subject: Re: [Dnsmasq-discuss] Request for brain-storm: Rogue
dhcp-servers on the lan
To: Jima <jima at beer.tclug.org>
On Tue, Aug 26, 2008 at 1:36 PM, Jima <jima at beer.tclug.org> wrote:
> richardvoigt at gmail.com wrote:
>>>
>>> On Mon, Aug 25, 2008 at 16:38, Jima <jima at beer.tclug.org> wrote:
>>>>
>>>> I have a vague idea relating to a VLAN-capable switch married to a
>>>> Linux
>>>> router, but it may or may not be terribly feasible depending on the
>>>> network
>>>> topology and capacity. :-)
>>
>> Essentially:
>>
>> split the switch ports into VLANs.
>> Attach the linux b-router to a "trunk port", defined as being a member
>> of all VLANs with 802.1q tagging enabled.
>> Use brctl to bridge all the ethx.n vlan virtual interfaces.
>> Configure iptables/ebtables/arptables.
>>
>> The b-router also becomes a good place for NAT, IDS, bandwidth
>> throttling and QoS, and/or load balancing upstream links.
>
> Richard pretty well outlined what my own course of action would be.
> Although in my experience, ebtables isn't terribly necessary -- I've been
> able to accomplish everything I've needed using iptables' physdev module.
Unless of course you want to prevent people from, for example, typing
in DNS server addresses in the "own IP address" field, and screwing up
the whole network. Or broadcasting wake-on-lan packets. Or flooding
the network with physical-layer broadcasts.
There are a lot of things that iptables won't see, and even if you
have no malicious users, you may still have infected users.
> YMMV, though.
>
> Jima
>
More information about the Dnsmasq-discuss
mailing list