I want to run dhcp and shorewall on the same computer.It is my gateway and that computer doing NAT for my network.How can I set up shorewall to let only users that get theire static ip address via dhcp, not to let users that had static address.
On Monday 23 May 2005 11:39 pm, Srboljub Jovanovic wrote:> I want to run dhcp and shorewall on the same computer.It is > my gateway and that computer doing NAT for my network.> How > can I set up shorewall to let only users that get theire > static ip address via dhcp, not to let users that had > static address. >Let them do what? -- John Andersen - NORCOM http://www.norcomsoftware.com/
> I want to run dhcp and shorewall on the same computer.It is > my gateway and that computer doing NAT for my network.How > can I set up shorewall to let only users that get theire > static ip address via dhcp, not to let users that had > static address.Running DHCP server on shorewall gateway: Have you read http://www.shorewall.com/myfiles.htm? DHCP does not provide static ip address. It provides dynamic IP addresses to the computer running DHCP client. The computers that have static address will not ask DHCP server dynamic IP address. - Masaru
Sorry for typo.> Have you read http://www.shorewall.com/myfiles.htm?Correct: http://www.shorewall.net/myfiles.htm - Masaru
Of course you can assign static addresses via dhcp with an mac ip mapping in your dhcp.conf IMHO, if you want to filter hosts that have a "real static" address (without dhcp) you could use a maclist filter to do that. http://www.shorewall.net/MAC_Validation.html This is of course independend of the dhcp server setting. Also you will want to read this: http://www.shorewall.net/dhcp.htm But in any case, with your setup you will have to maintain two mac lists, one in rthe dhcp, one in shorewalls maclist. HTH, Alex Srboljub Jovanovic wrote:>I want to run dhcp and shorewall on the same computer.It is >my gateway and that computer doing NAT for my network.How >can I set up shorewall to let only users that get theire >static ip address via dhcp, not to let users that had >static address. >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >
Srboljub Jovanovic wrote:> I want to run dhcp and shorewall on the same computer.It is > my gateway and that computer doing NAT for my network.How > can I set up shorewall to let only users that get theire > static ip address via dhcp, not to let users that had > static address.Either: Set up two subnets on your LAN, one served by DHCP and the other served by static addresses, and only all the former to do whatever it is you want them to be able to do. Or: Set up DHCP to use static addresses for each node and then grant access only to those nodes. However, there is nothing to stop a user manually configuring a system to use a DHCP address (providing it is not actually in use). I suggest you think more carefully about exactly what you are trying to achieve - you probably don''t want to do what you said, which is only allow DHCP systems to do something. You probably want to only allow certain users or certain machines to do something: how they get their address may, coincidentally, be via DHCP, but that it unlikely to be the key criteria for granting them access to something. -- Keith Edmunds +---------------------------------------------------------------------+ | Tiger Computing Ltd | Helping businesses make the most of Linux | | "The Linux Company" | http://www.TheLinuxConsultancy.co.uk | +---------------------------------------------------------------------+
Hello John Andersen, Let them to have internet. Best regards, ======= At 2005-05-24, 09:55:47 you wrote: ======>On Monday 23 May 2005 11:39 pm, Srboljub Jovanovic wrote: >> I want to run dhcp and shorewall on the same computer.It is >> my gateway and that computer doing NAT for my network. > >> How >> can I set up shorewall to let only users that get theire >> static ip address via dhcp, not to let users that had >> static address. >> > >Let them do what? > >-- >John Andersen - NORCOM >http://www.norcomsoftware.com/ >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >-- >No virus found in this incoming message. >Checked by AVG Anti-Virus. >Version: 7.0.322 / Virus Database: 266.11.15 - Release Date: 5/22/2005 > >.= = = = = = = = = = = = = = = = = = = Jovanovic Srboljub srbax@medianis.net 2005-05-24
Hello Alexander Wilms, I have wireless network and I''m using Linksys WET54G bridge on the client side and firewall can''t see mac address of users behind WET.So I can''t use mac filtering with shorewall, I allready try it.I''m trying to find the best way to secure my network.I don''t want to let users to get anyone elses ip address. Best regards, ======= At 2005-05-24, 10:39:11 you wrote: ======>Of course you can assign static addresses via dhcp with an mac ip >mapping in your dhcp.conf >IMHO, if you want to filter hosts that have a "real static" address >(without dhcp) you could use a maclist filter to do that. > >http://www.shorewall.net/MAC_Validation.html > >This is of course independend of the dhcp server setting. > >Also you will want to read this: > >http://www.shorewall.net/dhcp.htm > >But in any case, with your setup you will have to maintain two mac >lists, one in rthe dhcp, one in shorewalls maclist. > >HTH, >Alex > > >Srboljub Jovanovic wrote: > >>I want to run dhcp and shorewall on the same computer.It is >>my gateway and that computer doing NAT for my network.How >>can I set up shorewall to let only users that get theire >>static ip address via dhcp, not to let users that had >>static address. >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm >> >> >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >-- >No virus found in this incoming message. >Checked by AVG Anti-Virus. >Version: 7.0.322 / Virus Database: 266.11.15 - Release Date: 5/22/2005 > >.= = = = = = = = = = = = = = = = = = = Jovanovic Srboljub srbax@medianis.net 2005-05-24
ISHIKAWA Masaru schrieb:> DHCP does not provide static ip address.Nope. You can lease static adresses to known MAC addresses via DHCP. It surely makes not much sense, as you could give these IP''s by hand, but OP probably want''s to keep all network configuration on a single server.> - MasaruRegards Jan -- OpenPGP Public-Key Fingerprint: 0E9B 4052 C661 5018 93C3 4E46 651A 7A28 4028 FF7A
On Tuesday 24 May 2005 14:48, Jovanovic Srboljub wrote:> Hello Alexander Wilms, > > I have wireless network and I''m using Linksys WET54G bridge on the client > side and firewall can''t see mac address of users behind WET.So I can''t use > mac filtering with shorewall, I allready try it.I''m trying to find the best > way to secure my network.I don''t want to let users to get anyone elses ip > address.It won''t be possible to achieve this level of security by shorewall or dhcp or any other packet filter. The only way to totally avoid somebodies "break-in" and "stealing" a mac or ip address is physical security and/or port security on the switches. but i guess you won''t have switches with this function. So to limit at least internet access to special users/host you can only use mac/ip list, but both can be faked. Maybe you should also think about using an application level proxy like squid with user authentication. But of course also such a username/password combintation could possibly be sniffed by a intruder as well if he can gain physical access to the network. On the other hand: I don''t know how this WET Bridge works. (It''s main goal is range extension, right?). If it is doing normal bridging like the WRT54GS does, then you should see the MACs. Guys, am I right, a bridge forwards on layer 2, so it forwards also the MAC''s!? IMHO, I believe that a combination of WRT54GS routers in WDS mode using Sveasoft or OpenWRT firmware is the better solution. You can filter already on this devices using shorewall/iptables. Also you would gain alot of other features more. HTH, Alex> > > Best regards, > > ======= At 2005-05-24, 10:39:11 you wrote: ======> > >Of course you can assign static addresses via dhcp with an mac ip > >mapping in your dhcp.conf > >IMHO, if you want to filter hosts that have a "real static" address > >(without dhcp) you could use a maclist filter to do that. > > > >http://www.shorewall.net/MAC_Validation.html > > > >This is of course independend of the dhcp server setting. > > > >Also you will want to read this: > > > >http://www.shorewall.net/dhcp.htm > > > >But in any case, with your setup you will have to maintain two mac > >lists, one in rthe dhcp, one in shorewalls maclist. > > > >HTH, > >Alex > > > >Srboljub Jovanovic wrote: > >>I want to run dhcp and shorewall on the same computer.It is > >>my gateway and that computer doing NAT for my network.How > >>can I set up shorewall to let only users that get theire > >>static ip address via dhcp, not to let users that had > >>static address. > >>_______________________________________________ > >>Shorewall-users mailing list > >>Post: Shorewall-users@lists.shorewall.net > >>Subscribe/Unsubscribe: > >> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > >> http://www.shorewall.net/support.htm > >>FAQ: http://www.shorewall.net/FAQ.htm > > > >_______________________________________________ > >Shorewall-users mailing list > >Post: Shorewall-users@lists.shorewall.net > >Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > > http://www.shorewall.net/support.htm > >FAQ: http://www.shorewall.net/FAQ.htm > > > > > >-- > >No virus found in this incoming message. > >Checked by AVG Anti-Virus. > >Version: 7.0.322 / Virus Database: 266.11.15 - Release Date: 5/22/2005 > > > >. > > = = = = = = = = = = = = = = = = = = = > > Jovanovic Srboljub > srbax@medianis.net > 2005-05-24 > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Wednesday 25 May 2005 18:07, Urivan Alyasid Flores Saaib wrote:> Jovanovic, > > You might want to enable a virtual interface in the server and then > configure dhcp to serve two different configurations (one might serve > network info to fixed-address, and the other just server dynamic ips), > then you can enable different rules depending on the net interface you > define. > > Regards, > > Urivan Saaib > CiberLinux Networking > > Srboljub Jovanovic wrote: > > I want to run dhcp and shorewall on the same computer.It is > > my gateway and that computer doing NAT for my network.How > > can I set up shorewall to let only users that get theire > > static ip address via dhcp, not to let users that had > > static address.Btw., all posts - including mine - and also your idea about static addresses don''t really solve your security problem. The best solution would be using a client to firewall VPN setup (also called transport mode) and then only allowing this VPN zone to access the Internet (and other services). Also it will give your WLAN additional security. Thanks to Tom Eastep for this hint ;-) Regards, Alex
2005/5/24, Srboljub Jovanovic <srbax@medianis.net>:> I want to run dhcp and shorewall on the same computer.It is > my gateway and that computer doing NAT for my network.How > can I set up shorewall to let only users that get theire > static ip address via dhcp, not to let users that had > static address. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >Install dnsmasq. read http://www.shorewall.net/dhcp.htm note: MAC validation _is_not_ a good security measure. I can spoof my MAC address with just ONE command :)
On Tuesday 24 May 2005 04:48 am, Jan Kohnert wrote:> ISHIKAWA Masaru schrieb: > > DHCP does not provide static ip address. > > Nope. > > You can lease static adresses to known MAC addresses via DHCP. It surely > makes not much sense, as you could give these IP''s by hand, but OP > probably want''s to keep all network configuration on a single server.On the contrary, that makes a LOT of sense. In fact its the preferred way of doing statics in any reasonable size organization or even small ones with machines that need to remain static such as printers, servers, and such. Having it in the dhcp server documents it, and allows easier setup of the device, as DHCP is the out of the box default on most devices with embedded IP support. -- John Andersen - NORCOM http://www.norcomsoftware.com/
From: Jan Kohnert <nospam001-lists@jankoh.dyndns.org>> > DHCP does not provide static ip address. > > Nope. > > You can lease static adresses to known MAC addresses via DHCP. It surely makes > not much sense, as you could give these IP''s by hand, but OP probably want''s > to keep all network configuration on a single server.You mean "fixed address." - Masaru
Hello ISHIKAWA Masaru, Yes I mean fixed address. Best regards, ======= At 2005-05-25, 01:28:26 you wrote: ======>From: Jan Kohnert <nospam001-lists@jankoh.dyndns.org> >> > DHCP does not provide static ip address. >> >> Nope. >> >> You can lease static adresses to known MAC addresses via DHCP. It surely makes >> not much sense, as you could give these IP''s by hand, but OP probably want''s >> to keep all network configuration on a single server. > >You mean "fixed address." > >- Masaru >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >-- >No virus found in this incoming message. >Checked by AVG Anti-Virus. >Version: 7.0.322 / Virus Database: 266.11.16 - Release Date: 5/24/2005 > >.= = = = = = = = = = = = = = = = = = = Jovanovic Srboljub srbax@medianis.net 2005-05-25
Jovanovic, You might want to enable a virtual interface in the server and then configure dhcp to serve two different configurations (one might serve network info to fixed-address, and the other just server dynamic ips), then you can enable different rules depending on the net interface you define. Regards, Urivan Saaib CiberLinux Networking Srboljub Jovanovic wrote:> I want to run dhcp and shorewall on the same computer.It is > my gateway and that computer doing NAT for my network.How > can I set up shorewall to let only users that get theire > static ip address via dhcp, not to let users that had > static address. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >
ISHIKAWA, The DHCP server can provide static ip address based on the client''s MAC... but, thats out of the scope of this mailing list. Regards, Urivan Saaib CiberLinux Networking ISHIKAWA Masaru wrote:>>I want to run dhcp and shorewall on the same computer.It is >>my gateway and that computer doing NAT for my network.How >>can I set up shorewall to let only users that get theire >>static ip address via dhcp, not to let users that had >>static address. > > > Running DHCP server on shorewall gateway: > Have you read http://www.shorewall.com/myfiles.htm? > > DHCP does not provide static ip address. > It provides dynamic IP addresses to the computer running DHCP client. > The computers that have static address will not ask DHCP server > dynamic IP address. > > - Masaru > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >