Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 14 Mar 2003 08:59:38 -0700
From:      "Wolfpaw - Dale Corse" <admin-lists@wolfpaw.net>
To:        "Dan Mahoney, System Admin" <danm@prime.gushi.org>, <questions@freebsd.org>, <isp@freebsd.org>
Subject:   RE: DNS Proxying based on source address
Message-ID:  <AJENJFOLCLAHHIIGCCHNAEFOFMAA.admin-lists@wolfpaw.net>
In-Reply-To: <20030314031614.J60636-100000@prime.gushi.org>

next in thread | previous in thread | raw e-mail | index | archive | help
> Hi all,
>
> I'm doing a project where I want users on a wireless lan to
> be routed to a
> single, wildcard A record, where they will be forced to input some
> registration information, and then allowed out into the
> real world.  Some
> nice folks at southwestern university have already written
> a project that
> does this called "NetReg" but they are requiring a reboot
> of the client
> machine and changes to the DHCP lease file.  (which will be
> stopped and
> started while the client reboots)
>
> (re:any potentia lecture on wi-fi security, I know there's
> risks that can
> be done with mac-spoofing, but let's assume I'm aware of
> them).  Let's
> also make sure we know this is in the dealer's room at a
> convention where
> you have a lot of pissed off dealers who can't sell their
> stuff to a lot
> of people if this doesn't work, so it's in everyone's best
> interest not to
> tamper with it.  Let's even assume I'm bringing a 24 port
> switch just in
> case something stupid DOES happen.  Back to our story...)
>
> My solution is a bit more elegant, I think, but I'm stuck
> on one part.
>
> Upon bootup, a person is given a DNS server on the local
> net.  The DNS
> server is configured with a single wildcard record that
> returns the reg
> server for any address.  everything else is blocked by the
> default ipfw
> rule.
>
> If they feel like trying to go to a site by ip, then they
> run into the
> issue I'm having.
>
> As far as they know, trying to reach anywhere will yield
> nothing, because
> unassigned addresses will be firewalled from all but the
> netreg server.
> (I'm running this on a gateway machine).  They can access
> the registration
> page on the netreg machine, and once they register, the
> ipfw rules for
> their machine are added, and a static mac-based lease for
> the ip they were
> assigned is added in dhcpd.conf (which receives periodic
> reboots, every 30
> minutes or so, instead of every minute with the netreg solution).
>
> I'm going to have the netreg server add a rule like so:
>
> ipfw add 100 fwd 192.168.1.2,53 any from <theirip> to
> <192.168.1.1:53>
>
> .1 and .2 are ips on the same interface (the one internal
> to the LAN).
> Since these are on the local machine, the .2 dns server
> will still see the
> original address, and will reply directly.  This will cause them to
> magically now receive "normal" DNS replies, instead of the
> "bogus" ones.
>
> At least in theory.
>
> **Now here's the issue.**
>
> Assuming I can get all this to work, if bob's windows pc
> sends a request
> to 192.168.1.1, and 192.168.1.2 answers, will the machine
> ignore it?  If
> so, how do I rewrite the source address on the outbound
> reply packets?
>
> The same thing goes with http traffic.  I'd love to thwart
> anyone trying
> to access a site via IP in teh same manner, but if they try to go to
> http://google's.ip.address, will their machine pay any
> attention if a
> reply comes back from my local http server on 192.168.1.1?
>
> I know in a corporate lan scenario where you have a
> webserver with an
> internal ip and an external ip, you run two different dns
> servers on two
> different interfaces.  I guess what I need is a DNS server
> that will proxy
> requests to either of two other DNS servers based on the
> machine making
> the query.
>
> **big question**
>
> Would adding a second address to the loopback device to the
> system (and
> only having the rules fwd to those addresses) solve the
> source-ip dilemma?
> (at least for the DNS, for the http the machine is still
> expecting a reply
> from some ip that is blocked).  Is there any way you all
> can think of to
> have the server return a page when the user tries to access
> a site via IP
> (ala a transparent proxy).
>
> Any ideas, guys?
>
> I know this may be too complicated for the
> freebsd-questions list.  I'm
> corssposting this to isp- for that reason.

I setup a wireless ISP once, and what we did was used IPFW to block
any IP that wasn't
assigned to a customer, which also means, their assignment was static.

This has a few benefits:

A) Customers love static IP's.. or any geeky ones anyway :)
B) No security issues
C) There is no way around it.. if your IP isn't allowed to go out..
your screwed.

Not as elegant as DHCP, and a bit more to maintain, but not really all
that bad if you
wrote a few php scripts :)

Just my 2 cents :)
Dale
--------------------------------
Dale Corse
System Administrator
Wolfpaw Services Inc.
http://www.wolfpaw.net
(780) 474-4095



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AJENJFOLCLAHHIIGCCHNAEFOFMAA.admin-lists>