RE: users bypassing shaper limitation
You fail to understand. Drop traffic from any MAC/IP pair that isn't
"registered" with you, thus in your traffic shaper configuration. Keeping
track of MAC addresses and where they're supposed to be on your network in a
campus environment is pretty standard. I work on a University campus and
must notify the IT department anytime I want to add a host or move network
cards around. If I do not, they will grumble and/or disable the ethernet
ports that unknown MAC addresses appear on. In some areas (e.g. student
labs) they do that automatically so kids can't just bring their laptop in
and hop on napster at 100Mbit.
- jsw
-----Original Message-----
From: Gerard MacNeil [mailto:macneil@supercity.ns.ca]
Sent: Monday, July 02, 2001 5:39 AM
To: debian-isp@lists.debian.org
Subject: Re: users bypassing shaper limitation
On Sun, 1 Jul 2001 15:59:34 -0400, "Jeff S Wheeler" <jsw@five-elements.com>
wrote:
> I have been reading this thread and noticed no one has suggested the MAC
> address filtering capabilities in Linux 2.4's new ip tables subsystem.
There is no requirement to run 2.4.x and iptables, nor iproute2, to
accomplish the policy implementation that was specified. The administrative
policy is bandwith control over a defined set of IP addresses. That policy
is being circumvented with the current configuration by the whizkids. It is
up to the tech to implement a solution.
Beside, I'm sure I have a MAC address changer utility (or is that a feature
of iproute2) that I downloaded sometime in the past. The same whizkids
would use it and circumvent the policy based on MAC addresses with it ...
although it would be a trickier thing to accomplish. I think I have read on
some mailing list that it is quite a security issue with PPPoE and some
wireless connections.
Gerard MacNeil
System Administrator
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: