Hello Eric, you wrote > I'm setting up LEAF (Bering uClib 2.0) for a new condo with > in-the-wall ethernet and lots of tech-savvy visitors some of whom run > virus hosts from Redmond. I want vistors to be able to plug their > laptops into any jack in the wall, including jacks that may be used by > members of the household. But I don't want to allow them the same > priveleges as "known" hosts, esp. access to other hosts on the LAN.
The problem you are describing isn't a special bering problem. You can certainly have two different subnets on one "physical lan" You can give dynamic addresses with dhcp that are in one subnet for all "unknown mac's" and give addresses in another net for known mac's or use static ip's in the "trusted net". 1.The problem however is that if someone wants to be evil, he can just change the address or use tools to "eavesdrop" the lan, Now he has the possibilitie to imitate a mac in the known network, if your services are "mac" dependent. 2. If a strange machine on the lan has access to one of the "trusted hosts" is also dependant of the configuration of the desktophost itself and less of the "router". So you have to make it impossible to read the dataflow on the LAN, one way I could imagine is to encrypt all the traffic on this lan with "trusted desktop"--- encrypted tunnel --- "router" .....> internet or other trusted host on the lan. If this is doable, depends on the number of "trusted desktops, their OS and might involve some kind of routing. on the soekris box. Regards Eric Wolzak (fan of crosswords and palm OS ;) ) Bering Crew > > Basically, I want to offer DHCP leases on eth1, and if the MAC address > is unknown to put it in an effective dmz that's only allowed access to > the WAN via eth0. This would be trivial to do if I had an eth2, but > there's only one jack at each location so I can't just add a new NIC. > > I'd also like to refuse connections to static IP addresses that happen > to be in the right range so that folks have to go through dhcp. > > Is this possible using Bering? Any suggestions where to start reading > on how to set it up? The hardware in this case is a Soekris box (boot > medium is a CF card), so I'm not limited to a floppy-based distro; but > I use Bering everywhere else and want to keep things compatible. > > Thanks, > > --Eric House > -- > ****************************************************************************** > * From the desktop of: Eric House, [EMAIL PROTECTED] * > * Crosswords 4.0 for PalmOS is out!: <http://www.peak.org/~fixin/xwords> * > ****************************************************************************** ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
