|
|||
As a matter of fact, I DO know what NAT is. As a thesis I implemented NIProxy (network intelligence) which is a network traffic shaping device. So please stop saying I don't know what NAT is.
If I have a router with DHCP range 192.168.0.1 / 24, and then I add a Openbsd with 2 interfaces, first 192.168.0.2, second (as DHCP) 192.168.1.1/24, then I need to use NAT for all clients which have a 192.168.1.1/24 IP. Otherwise the first router will get packets from 192.168.1.1/24 which should come from 192.168.0.2! and blocking p2p/torrent is not that hard. I'll take your bet rapidshare is (currently) the only problem here.. ps: it's not the government here.. I take it there are no hackers, nor do the students have interest/time to do this stuff. Without any knowledge of computers you just can't start "hacking" or cracking or whatever. I used to try it when I didn't study ICT yet. But ok I take it you are critical and I thank you for it, it's the best way. So if this won't work, what do you suggest..? |
|
|||
As jggimi and others have said, you're trying to solve a policy problem with technical means.
This is not a technical issue, inform the students/faculty that 'rapidshare' is not permitted on your network.. instead of silently blocking traffic you don't approve of (..inherently impossible), tell them the rules. You're opening a door to the world, turning it into window will not stop people from trying to go outside. Hope that helps. |
|
|||
Quote:
I'm just sick of the lack of internet.. I appreciate your reply, but imo you can compare it to asking anyone not to steal, commit crime, .. and counting on it.. |
|
||||
Something doesn't quite add up, when I put:
Quote:
Quote:
Quote:
Since nothing I have told you is acceptable, or apparently applicable to your environment, then by all means, do whatever you wish. It is your network, and, when you break it, you get to keep the pieces. |
|
|||
Yes, if you have one Internet connection with a single public IP address, you need NAT to give those sixty people internet access.
How is the network infrastructure now? RE: Hasselt My nephew studied there Hassels is not that far from where I live, Budel, only 1 km from Hamont.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
Make it crystal clear that they will have their network privileges taken away.. or even better, say they could even get kicked out of school. This is really a test of wits, are you (..or the institute you work for) willing to follow through with punishing those who violate network rules? Have these students sign something, making them aware of the rules and reprecusons.. if this is a wireless network, is there any sort of verification that they are even enrolled students? maybe this is a network security problem. Good luck.. |
|
|||
I am new to openbsd, but i am familiar with the terminology of networking.
I surely accept everything you (jggimi) say and I respect and confide your opinion since your knowlodge/experience >>> mine. I just think we are having a miscommunication. furthermore I dont understand the difference between the 2 situations you described. there is no difference in openbsd acting as 2nd router and being on the same physical network. it's both.. http://student.uhasselt.be/~0421625/toplogy.png -> this is the infrastructure openbsd is DHCP and DNS here. So I think I need NAT on openbsd too..? ps: since the modem/router is provided by the ISP i cant access it.. Only through putty telnet, but I dont have username/pw @bsdfan666: I am not really in a position to 'punish' anyone because I am a student too, I am nor owner nor manager.. |
|
||||
NAT is already functioning on your external facing router. All of your RFC 1918 addresses are already using NAT, therefore. An additional NAT address consolidation adds no value.
Yes, we are having communication difficulties, though your English is probably better than mine, and I am a native speaker. |
|
|||
so then the 1st router/modem will receive packets with ip.src = 192.168.1.x while its range is 192.168.0.1/24 .. I expected this to fail..
|
|
|||
Quote:
|
|
||||
Well then, you can either have belgacom.be or skynet.be add that routing table entry to the router, or, give you local control so you can do it yourself.
Failing that 10 minute telephone conversation with their support staff (+32 2 202-4111), you can implement a second layer of NAT, which will introduce additional complexity for management, diagnostics, and administration. |
|
|||
i'm now going to configure the openbsd.
i didnt activate dns nor dhcp. so i have 2 interfaces, hostname.if0 and hostname.if1 so now i am wondering what ip's they need to be set. can i enter a static ip? if0 = connected to router, so i would enter DCHP NONE NONE NONE in hostname.if0 . is this correct? or do i need to put 'inet ...' in it too? second, what ip can if1 have? is it the same range? do i need to make it static? i dont know what to put in it and the manuals/guide/faq are unclear about it imo.. |
|
|||
Quote:
Your post also references hostname.if0 & hostname.if1. This is incorrect, however, you will find this in the documentation where "if" is used as a placeholder. Unlike Linux which identifies each Ethernet interface as "eth0", "eth1", etc., the *BSD family uses the specific driver used for the installed NIC. For example, in a Thinkpad laptop I use, the driver installed by the kernel is bge(4). This means that I have the following when setting up DHCP on this particular interface: $ cat /etc/hostname.bge0 dhcp You will find what drivers are used in your system by studying the output of dmesg(8). Quote:
http://en.wikipedia.org/wiki/Subnetwork However, note that understanding the topic well takes more than a five minute scan. Quote:
The reason the external interface is set for a dynamic address is because this is the option your ISP is providing. You might be able to get a static IP address from your ISP, but typically static IP address mean higher monthly fees. Most likely, you will want to use private addresses on your internal network as defined by RFC 1918: http://www.faqs.org/rfcs/rfc1918.html If you are unfamiliar with private addressing, read the following in Wikipedia: http://en.wikipedia.org/wiki/Private_network |
|
|||
thx for the quick reply.
i just used if0 and if1 as references, i know about the names. sorry for the misunderstanding. first I didn't want to activate the dhcp service. though as you say, internal pc's need to set it as their default gateway. since I don't have access to my modem, I can't change it this is why I need to have the if1 (internal) to act as dhcp and use NAT (since I can't access the modem to adjust the routing tables). imo, todo: if0 (interface to modem): I have to make the ip static because of NAT from if1 to if0 if1 (interface to internal network): I have to make the ip static (192.168.1.1) and enable DHCP to set it as default gateway |
|
|||
I'm late like the White Rabbit but here is a new choice
I am surprised that nobody suggested the solution that I use to do loads of DNS spoofing for other reasons. e.g. adblocking, malicious sites etc.
There is an OpenBSD package called dsniff which contains a program called dnsspoof. That intercepts any attempts to contact any DNS (on or beyond the firewall) and returns 127.0.0.1 (or whatever you choose) for any request that matches a rule in its conf file. Other requests pass unhindered. The conf file allows wildcards which is great but you can unwittingly do silly things like blocking ad* which will mean you can't get to adsl.com. It is just so easy to get and to use that I'm amazed at how little it is used. |
|
||||
Joostvgh would have has the same topology issues (routing/NAT) and easy circumventions (tunneling of DNS, private lookups, etc.) It is, in effect, merely replacing a DNS server with a server that acts like one.
But it -seems- it would be easier to adapt to the entire domain and changes within the domain as they occur than PF's more limited DNS resolution only at rule-load. Last edited by jggimi; 15th January 2010 at 04:46 AM. |
|
||||
Quote:
want is by forcing users to use your proxy server and then filtering content or in this case specific web-site by configuring proxy server. |
|
|||
thx for the tips. system is up and running now!
dsniff does exactly what i was looking for. thx everyone for the help! |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Blocking MySpace | roddierod | Other OS | 3 | 12th April 2009 09:39 PM |
PF Blocking VPN Traffic | plexter | OpenBSD Security | 6 | 23rd January 2009 05:25 PM |
pf blocking php mail | ijk | FreeBSD Security | 7 | 30th October 2008 08:33 PM |
FreeBSD 7 and RapidShare | mfaridi | FreeBSD General | 9 | 20th October 2008 01:32 AM |
PF Blocking | schrodinger | OpenBSD Security | 6 | 6th October 2008 10:33 PM |