From owner-freebsd-questions@FreeBSD.ORG Tue Sep 28 07:52:05 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B11916A4CE for ; Tue, 28 Sep 2004 07:52:05 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47DA443D1F for ; Tue, 28 Sep 2004 07:52:02 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1] (may be forged))i8S7pwoM019157 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 28 Sep 2004 08:51:58 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)i8S7pvYU019152; Tue, 28 Sep 2004 08:51:57 +0100 (BST) (envelope-from matthew) Date: Tue, 28 Sep 2004 08:51:57 +0100 From: Matthew Seaman To: Ted Mittelstaedt Message-ID: <20040928075157.GA76460@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Ted Mittelstaedt , Tim Aslat , "freebsd-questions@FreeBSD.ORG" References: <20040927092217.GB57485@happy-idiot-talk.infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 28 Sep 2004 08:51:58 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version 0.75l on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: "freebsd-questions@FreeBSD.ORG" Subject: Re: IP address conflicts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2004 07:52:05 -0000 --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 27, 2004 at 08:20:42PM -0700, Ted Mittelstaedt wrote: >=20 >=20 > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Matthew Seaman > > Sent: Monday, September 27, 2004 2:22 AM > > To: Tim Aslat > > Cc: freebsd-questions@FreeBSD.ORG > > Subject: Re: IP address conflicts > > > > > > On Mon, Sep 27, 2004 at 08:51:47AM +0930, Tim Aslat wrote: > > > > > I have an annoying situation in a school I do casual work in their IT > > > department. There are a number of individuals within the system who > > > think it's funny to allocate an IP address on a workstation identical= to > > > the network's proxy/web/mail servers. What I'd like to know is, would > > > there be any way of preventing this short of spending quite a lot of > > > money on managed switches an the like? > > > > Well, you could move all of the servers onto a separate network to any > > of the individual client machines (and make sure that the server > > network isn't accessible from any of the network ports your clients > > have access to, clearly). That way, even if one of your pet idiots > > decides to 'borrow' a server IP address, the network routing means > > that all they are going to do is hurt themselves. > > >=20 > You must want to HELP the little shits then. Please do not ascribe such motives to me in such an insulting manner. You have a point, but you need to learn how to be less inflammatory in making it. =20 > Think of this for a second. Right now he has maybe 4-5 different servers > that > people are putting the IP numbers on. Once you move all those servers on= to > a > separate subnet, now all the little twits have to do is put the IP number= of > the gateway router onto their systems, then the entire subnet that ALL the > servers are on becomes inaccessible. Yes, you are quite right. I missed that. However the OP is stuck between a rock and a hard place. He (or his school) is saying they can't afford the correct equipment to really solve the problem. As it is, he's getting the flak when things aren't working right (what else is new?) On consideration, it strikes me that the thing to realise is that this has gone beyond a technical argument. This is now also a political argument and a financial argument. His bosses do not either see the justification for investing in equipment to make the network proof against such attacks, neither do they have the incentive to come down like a ton of bricks on the malefactors. It's counter-intuitive I know, and goes against all of the best instincts of any good systems administrator, but the OPs arguments would be strengthened if the problem was or /appeared to be/ *worse* than it is currently. Machiavellianly, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --azLHFNyN32YCQGCU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBWRgdiD657aJF7eIRAs4nAKC5sc8up0ayxoUrUT0fURJacUrFWwCeJKJG hbmqFr7ClJVglJdL9LZaQeM= =lNCW -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU--