Date: Fri, 14 Mar 2003 08:59:38 -0700 From: "Wolfpaw - Dale Corse" <admin-lists@wolfpaw.net> To: "Dan Mahoney, System Admin" <danm@prime.gushi.org>, <questions@freebsd.org>, <isp@freebsd.org> Subject: RE: DNS Proxying based on source address Message-ID: <AJENJFOLCLAHHIIGCCHNAEFOFMAA.admin-lists@wolfpaw.net> In-Reply-To: <20030314031614.J60636-100000@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi all, > > I'm doing a project where I want users on a wireless lan to > be routed to a > single, wildcard A record, where they will be forced to input some > registration information, and then allowed out into the > real world. Some > nice folks at southwestern university have already written > a project that > does this called "NetReg" but they are requiring a reboot > of the client > machine and changes to the DHCP lease file. (which will be > stopped and > started while the client reboots) > > (re:any potentia lecture on wi-fi security, I know there's > risks that can > be done with mac-spoofing, but let's assume I'm aware of > them). Let's > also make sure we know this is in the dealer's room at a > convention where > you have a lot of pissed off dealers who can't sell their > stuff to a lot > of people if this doesn't work, so it's in everyone's best > interest not to > tamper with it. Let's even assume I'm bringing a 24 port > switch just in > case something stupid DOES happen. Back to our story...) > > My solution is a bit more elegant, I think, but I'm stuck > on one part. > > Upon bootup, a person is given a DNS server on the local > net. The DNS > server is configured with a single wildcard record that > returns the reg > server for any address. everything else is blocked by the > default ipfw > rule. > > If they feel like trying to go to a site by ip, then they > run into the > issue I'm having. > > As far as they know, trying to reach anywhere will yield > nothing, because > unassigned addresses will be firewalled from all but the > netreg server. > (I'm running this on a gateway machine). They can access > the registration > page on the netreg machine, and once they register, the > ipfw rules for > their machine are added, and a static mac-based lease for > the ip they were > assigned is added in dhcpd.conf (which receives periodic > reboots, every 30 > minutes or so, instead of every minute with the netreg solution). > > I'm going to have the netreg server add a rule like so: > > ipfw add 100 fwd 192.168.1.2,53 any from <theirip> to > <192.168.1.1:53> > > .1 and .2 are ips on the same interface (the one internal > to the LAN). > Since these are on the local machine, the .2 dns server > will still see the > original address, and will reply directly. This will cause them to > magically now receive "normal" DNS replies, instead of the > "bogus" ones. > > At least in theory. > > **Now here's the issue.** > > Assuming I can get all this to work, if bob's windows pc > sends a request > to 192.168.1.1, and 192.168.1.2 answers, will the machine > ignore it? If > so, how do I rewrite the source address on the outbound > reply packets? > > The same thing goes with http traffic. I'd love to thwart > anyone trying > to access a site via IP in teh same manner, but if they try to go to > http://google's.ip.address, will their machine pay any > attention if a > reply comes back from my local http server on 192.168.1.1? > > I know in a corporate lan scenario where you have a > webserver with an > internal ip and an external ip, you run two different dns > servers on two > different interfaces. I guess what I need is a DNS server > that will proxy > requests to either of two other DNS servers based on the > machine making > the query. > > **big question** > > Would adding a second address to the loopback device to the > system (and > only having the rules fwd to those addresses) solve the > source-ip dilemma? > (at least for the DNS, for the http the machine is still > expecting a reply > from some ip that is blocked). Is there any way you all > can think of to > have the server return a page when the user tries to access > a site via IP > (ala a transparent proxy). > > Any ideas, guys? > > I know this may be too complicated for the > freebsd-questions list. I'm > corssposting this to isp- for that reason. I setup a wireless ISP once, and what we did was used IPFW to block any IP that wasn't assigned to a customer, which also means, their assignment was static. This has a few benefits: A) Customers love static IP's.. or any geeky ones anyway :) B) No security issues C) There is no way around it.. if your IP isn't allowed to go out.. your screwed. Not as elegant as DHCP, and a bit more to maintain, but not really all that bad if you wrote a few php scripts :) Just my 2 cents :) Dale -------------------------------- Dale Corse System Administrator Wolfpaw Services Inc. http://www.wolfpaw.net (780) 474-4095 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AJENJFOLCLAHHIIGCCHNAEFOFMAA.admin-lists>