Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Blocking MSN (and any other service for that matter)

From: Carric Dooley <carric () com2usa com>
Date: Fri, 23 Apr 2004 00:32:42 -0400 (EDT)
On Thu, 22 Apr 2004, Chuck Vose wrote:


# table IM not permitted
table <NoIM> { 192.168.1.210 192.168.1.211 192.168.1.212 192.168.1.213
192.168.1.214 192.168.1.215 192.168.1.216 192.168.1.217 192.168.1.218
192.168.1.219 192.168.1.220 192.168.1.221 192.168.1.222 192.168.1.223
192.168.1.224 192.168.1.225 }


I wonder if there isn't a better way to do this. Seems like every time
you add an intern or lose one you have to adjust this table unless
they're using the same mac address. What if they bring in a laptop?

The method my school uses is to allow all people access to a subnet of
wounded IP's, these can't do anything interesting other than contact the
registration http server. Once registered it gives the computer a
permanent IP and writes their info in a file so that the firewall can
decide what to allow through. 

Instead:
table <NoIM> { hash:/var/dhcp-intern-hosts }

Or whatever the equivalent is. Would this be feasible / useful in this
case?


Ahh.. this makes me think of 802.1Q. I have not seen it actually deployed 
anywhere however... Authentication based Virtual VLAN's would fit nicely 
here.



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



-- 
Carric Dooley
COM2:Interactive Media
http://www.com2usa.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: