Re: I want to have my cake and eat it too
On Thu, 2003-04-03 at 04:05, Ian Johnstone wrote:
> I wasn't seeking total security for my network from visitors, whom I'm
> willing to assume are benign.
Well, I don't know about your deployment, but I am kind of paranoid when
it comes to network security, just imagine the worst case (loss of data,
leaking of confidential data) and ask yourself if you can live with it
and who would be responsible ..
> I find it interesting that there isn't a secure solution to my problem, its
> seems a common enough requirement.
There is a secure solution, it is called IPSec, a gpl'd implementation
is available at http://www.freeswan.org, but it would involve a lot of
work since you had to set up the trusted virtual net at every trusted
You can't use the same physical network and hide some parts of it from
your visitors without some kind of encryption/authentication. There is
no guaranteed way with plain ipv4 over ethernet that I am aware of to
seperate a bad client from a good one.
You can check for MAC addresses as Jonathan suggests if that is
sufficent for you and block packets on the firewall of course, I use to
iptables -N check_mac
iptables -A check_mac -m mac --mac-source 01:23:45:67:89:AB -j RETURN
iptables -A check_mac -s 192.168.0.12 -j DROP
iptables -A check_mac -j RETURN
iptables -t filter -A INPUT -j check_mac
that ensures, that every packet from 192.168.0.12 passing the INPUT
chain is from an NIC with the above MAC address, but it doesn't ensure
that it is actually the client I expect ..