Re: ID local machines before forwarding?

From: Mike Jones <Not@xxxxxxxxxxx>
Date: Mon, 08 Dec 2008 21:56:06 GMT

Responding to Jasen Betts:

On 2008-12-07, Mike Jones <Not@xxxxxxxxxxx> wrote:

I now have a need to make sure only certain machines on the internal
LAN can get forwarded out into the wild internet (through one common
gateway machine).

surest: put the locked down machines on a different interface (get
another network card and put them on a different subnet). write
forwarding rules that don't include forwarding traffic from that subnet.

the above has a physical barrier which will block anything software can
attempt...

Pretty solid idea. I'd not thought of this one.

However, I have a laptop with XP and Zenwalk on it. Guess which OS I
don't want ever connecting to the internet? And guess which OS I /want/
to be able to access the internet with?

Yup. I'm trying to create some kind of filter system that I can be sure
won't let BarbieWare through, on the same hardware that might be running
an acceptable Linux OS.

It crossed my mind to create some kind of ssh handshake before the router
machine would accept traffic for forwarding, something the Linux OS could
be set up to do, but the M$ OS would naturally fail. Over ambitious?

I'm thinking about anything that could be used to be an identity key to
allow or block based on that.

[...]

IOW, if its not "this machine", running "this account" on "this OS",
then drop (and log?).

if you want to block based on the user (not the machine) you could not
forward any IP packets from the LAN to the internet but instead require
your clients machines to use PPPoE through your linux box... set the
linux box up as a PPP server...

I'll have to look into this one.

Thanks for the tips! :)

--
*===( http://www.400monkeys.com/God/
*===( http://principiadiscordia.com/
*===( http://www.zenwalk.org/
.

Follow-Ups:
- Re: ID local machines before forwarding?
  - From: Lawrence D'Oliveiro

References:
- ID local machines before forwarding?
  - From: Mike Jones
- Re: ID local machines before forwarding?
  - From: Jasen Betts

Prev by Date: Re: Linux netbooks
Next by Date: rsync between FAT32 and XFS partitions
Previous by thread: Re: ID local machines before forwarding?
Next by thread: Re: ID local machines before forwarding?
Index(es):
- Date
- Thread

Relevant Pages

Re: wvdial via telnet does not work anymore
... > I want to be able to not login locally, but via telnet only, ... > with wvdial via telnet to the Linux box, ... > Internet services from within my LAN. ...
(comp.os.linux.networking)
Re: Making linux firewall/gateway
... Your best to just dual home the Linux box and connect your LAN machines with ... linux box as opposed to just the switch. ... > internet connection), and it has one pci slot. ...
(comp.os.linux.networking)
SuSE 9.3: LAN access/forwarding problems
... I cannot access the internet from another PC via the Linux box, ... I cannot ftp into the Linux box via internal LAN, ... I can also ftp from the Linux box to the second PC. ...
(alt.os.linux.suse)
Re: Very embarrassing traffic shaping problem.
... On my LAN, I'd like configure my Linux Box in order ... to throttle the traffic that goes from the Internet down do my Linux ... eth0 and traffic from Internet to your workstation on eth1. ...
(comp.os.linux.networking)
Re: Internet connection sharing with lan and modem
... > My linux box connects to the internet via a windows xp gateway computer ... > on a LAN. ... > connection on the linux system when the xp system is not running. ...
(alt.os.linux)