Re: help on masquerading

To: Debian User List <debian-user@lists.debian.org>
Subject: Re: help on masquerading
From: Kevin Mark <kmark+debian-user@pipeline.com>
Date: Tue, 29 Jun 2004 20:28:34 -0400
Message-id: <[🔎] 20040630002834.GA32005@debian.potter>
Mail-followup-to: Debian User List <debian-user@lists.debian.org>
In-reply-to: <[🔎] Pine.LNX.4.44L0.0406291558160.13064-100000@narayani.atcnet.com.np>
References: <[🔎] 20040629100850.GA5810@debian.potter> <[🔎] Pine.LNX.4.44L0.0406291558160.13064-100000@narayani.atcnet.com.np>

On Tue, Jun 29, 2004 at 04:01:46PM +0545, Ritesh Raj Sarraf wrote:
> On Tue, 29 Jun 2004, Kevin Mark wrote:
> 
> > On Tue, Jun 29, 2004 at 02:09:36PM +0545, Ritesh Raj Sarraf wrote:
> > > I think I've got a little confused. For example I hit the following:
> > > 
> > > iptables -P FORWARD DROP
> > > iptables -A FORWARD -s xx:xx:xx:xx -o eth0 -j MASQUERADE
> > > xx would be the hardware address.
> > > Now wouldn't he be able to change the ip and still be connected because he still has the same hardware mac address and consume more bandwidth. Note: I limit bandwidth on ip basis using rshaper.
> > > If i'm not wrong, the solution I feel is to block bandwidth on MAC address. If later the customer tries changing the ethernet card, my iptable rule won't allow packets to be forwarded. Right ?
> > > 
> > > I think I'm right now.
> > > Thanks for all helpful suggestions.
> > > 
> > > Ritesh
> > Hi Ritesh,
> > exactly which kind of security does this place have?
> > you expect people to gain administrative access to change ip settings
> > and people to open up pc to change network cards?
> > I think you either have more problems that bandwidth or you are just
> > being to paranoid.
> > -Kev
> > 
> Being a sysadmin, I think it's my duty to think upon all the possibilities. 

 Of course.

> I can't and have no right to delve into my customers machine to see what activity heactually is doing.

 Remind me again what a sysadmin is and why you wont do this? who sets
 policies for machine use? who manages the network? who fixes/updates
 the pcs? I am not talking about reading documents or other spying, just
 monitoring user, syste, and network resources.

> He has full right to do anything with his PC.

	the 'users' have right to changes settings and take apart the
	machines. This would hinder your ability to admin, and yet you
	think you can not tell your users not to do this?

Instead I can make a policy that,"Hey Customer, I've restricted you on the basis of your ethernet's MAC addr. If you change it, you'll have to suffer downtime and pay some additional onsite support charges".

	If YOU are admin'ing, anything that interferese with your
	ability to do this is not welcome. And you should be the first
	to know about it.
	If a customer decides to change his ethernet card and download
	10 dvd's and use over your quota of bandwidth and the boss is
	charged for this, who will get blamed? the  users alone, or the
	sysadmin for not monitoring it and the users for doing it or no
	one?

> Rgds,
  -kev
-- 

        (__)
        (oo)
  /------\/
 / |    ||
*  /\---/\
   ~~   ~~
...."Have you mooed today?"...

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: help on masquerading
  - From: Kevin Mark <kmark+debian-user@pipeline.com>
- Re: help on masquerading
  - From: Ritesh Raj Sarraf <ritesh@atcnet.com.np>

Prev by Date: Re: Visual C++?????
Next by Date: Re: Visual C++?????
Previous by thread: Re: help on masquerading
Next by thread: dcopserver would not run
Index(es):
- Date
- Thread