From owner-freebsd-isp Fri Mar 14 7:48:21 2003 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 500D737B404 for ; Fri, 14 Mar 2003 07:48:17 -0800 (PST) Received: from alcatraz.wolfpaw.net (alcatraz.wolfpaw.net [216.194.99.3]) by mx1.FreeBSD.org (Postfix) with SMTP id CC58B43FB1 for ; Fri, 14 Mar 2003 07:48:14 -0800 (PST) (envelope-from admin-lists@wolfpaw.net) Received: (qmail 29109 invoked by uid 0); 14 Mar 2003 15:48:12 -0000 Received: from unknown (HELO wolf) (216.123.201.128) by 0 with SMTP; 14 Mar 2003 15:48:12 -0000 From: "Wolfpaw - Dale Corse" To: "Dan Mahoney, System Admin" , , Subject: RE: DNS Proxying based on source address Date: Fri, 14 Mar 2003 08:59:38 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <20030314031614.J60636-100000@prime.gushi.org> Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hi all, > > I'm doing a project where I want users on a wireless lan to > be routed to a > single, wildcard A record, where they will be forced to input some > registration information, and then allowed out into the > real world. Some > nice folks at southwestern university have already written > a project that > does this called "NetReg" but they are requiring a reboot > of the client > machine and changes to the DHCP lease file. (which will be > stopped and > started while the client reboots) > > (re:any potentia lecture on wi-fi security, I know there's > risks that can > be done with mac-spoofing, but let's assume I'm aware of > them). Let's > also make sure we know this is in the dealer's room at a > convention where > you have a lot of pissed off dealers who can't sell their > stuff to a lot > of people if this doesn't work, so it's in everyone's best > interest not to > tamper with it. Let's even assume I'm bringing a 24 port > switch just in > case something stupid DOES happen. Back to our story...) > > My solution is a bit more elegant, I think, but I'm stuck > on one part. > > Upon bootup, a person is given a DNS server on the local > net. The DNS > server is configured with a single wildcard record that > returns the reg > server for any address. everything else is blocked by the > default ipfw > rule. > > If they feel like trying to go to a site by ip, then they > run into the > issue I'm having. > > As far as they know, trying to reach anywhere will yield > nothing, because > unassigned addresses will be firewalled from all but the > netreg server. > (I'm running this on a gateway machine). They can access > the registration > page on the netreg machine, and once they register, the > ipfw rules for > their machine are added, and a static mac-based lease for > the ip they were > assigned is added in dhcpd.conf (which receives periodic > reboots, every 30 > minutes or so, instead of every minute with the netreg solution). > > I'm going to have the netreg server add a rule like so: > > ipfw add 100 fwd 192.168.1.2,53 any from to > <192.168.1.1:53> > > .1 and .2 are ips on the same interface (the one internal > to the LAN). > Since these are on the local machine, the .2 dns server > will still see the > original address, and will reply directly. This will cause them to > magically now receive "normal" DNS replies, instead of the > "bogus" ones. > > At least in theory. > > **Now here's the issue.** > > Assuming I can get all this to work, if bob's windows pc > sends a request > to 192.168.1.1, and 192.168.1.2 answers, will the machine > ignore it? If > so, how do I rewrite the source address on the outbound > reply packets? > > The same thing goes with http traffic. I'd love to thwart > anyone trying > to access a site via IP in teh same manner, but if they try to go to > http://google's.ip.address, will their machine pay any > attention if a > reply comes back from my local http server on 192.168.1.1? > > I know in a corporate lan scenario where you have a > webserver with an > internal ip and an external ip, you run two different dns > servers on two > different interfaces. I guess what I need is a DNS server > that will proxy > requests to either of two other DNS servers based on the > machine making > the query. > > **big question** > > Would adding a second address to the loopback device to the > system (and > only having the rules fwd to those addresses) solve the > source-ip dilemma? > (at least for the DNS, for the http the machine is still > expecting a reply > from some ip that is blocked). Is there any way you all > can think of to > have the server return a page when the user tries to access > a site via IP > (ala a transparent proxy). > > Any ideas, guys? > > I know this may be too complicated for the > freebsd-questions list. I'm > corssposting this to isp- for that reason. I setup a wireless ISP once, and what we did was used IPFW to block any IP that wasn't assigned to a customer, which also means, their assignment was static. This has a few benefits: A) Customers love static IP's.. or any geeky ones anyway :) B) No security issues C) There is no way around it.. if your IP isn't allowed to go out.. your screwed. Not as elegant as DHCP, and a bit more to maintain, but not really all that bad if you wrote a few php scripts :) Just my 2 cents :) Dale -------------------------------- Dale Corse System Administrator Wolfpaw Services Inc. http://www.wolfpaw.net (780) 474-4095 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message