From owner-freebsd-isp Fri Mar 14 3:52:17 2003 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7ACB37B401; Fri, 14 Mar 2003 03:52:14 -0800 (PST) Received: from prime.gushi.org (prime.gushi.org [65.125.228.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31E9543F3F; Fri, 14 Mar 2003 03:52:14 -0800 (PST) (envelope-from danm@prime.gushi.org) Received: from localhost (danm@localhost.com [127.0.0.1] (may be forged)) by prime.gushi.org (8.12.8/8.12.8) with ESMTP id h2EBr75L070699; Fri, 14 Mar 2003 06:53:07 -0500 (EST) Date: Fri, 14 Mar 2003 06:53:07 -0500 (EST) From: "Dan Mahoney, System Admin" To: questions@freebsd.org, Subject: DNS Proxying based on source address Message-ID: <20030314031614.J60636-100000@prime.gushi.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I'm doing a project where I want users on a wireless lan to be routed to a single, wildcard A record, where they will be forced to input some registration information, and then allowed out into the real world. Some nice folks at southwestern university have already written a project that does this called "NetReg" but they are requiring a reboot of the client machine and changes to the DHCP lease file. (which will be stopped and started while the client reboots) (re:any potentia lecture on wi-fi security, I know there's risks that can be done with mac-spoofing, but let's assume I'm aware of them). Let's also make sure we know this is in the dealer's room at a convention where you have a lot of pissed off dealers who can't sell their stuff to a lot of people if this doesn't work, so it's in everyone's best interest not to tamper with it. Let's even assume I'm bringing a 24 port switch just in case something stupid DOES happen. Back to our story...) My solution is a bit more elegant, I think, but I'm stuck on one part. Upon bootup, a person is given a DNS server on the local net. The DNS server is configured with a single wildcard record that returns the reg server for any address. everything else is blocked by the default ipfw rule. If they feel like trying to go to a site by ip, then they run into the issue I'm having. As far as they know, trying to reach anywhere will yield nothing, because unassigned addresses will be firewalled from all but the netreg server. (I'm running this on a gateway machine). They can access the registration page on the netreg machine, and once they register, the ipfw rules for their machine are added, and a static mac-based lease for the ip they were assigned is added in dhcpd.conf (which receives periodic reboots, every 30 minutes or so, instead of every minute with the netreg solution). I'm going to have the netreg server add a rule like so: ipfw add 100 fwd 192.168.1.2,53 any from to <192.168.1.1:53> .1 and .2 are ips on the same interface (the one internal to the LAN). Since these are on the local machine, the .2 dns server will still see the original address, and will reply directly. This will cause them to magically now receive "normal" DNS replies, instead of the "bogus" ones. At least in theory. **Now here's the issue.** Assuming I can get all this to work, if bob's windows pc sends a request to 192.168.1.1, and 192.168.1.2 answers, will the machine ignore it? If so, how do I rewrite the source address on the outbound reply packets? The same thing goes with http traffic. I'd love to thwart anyone trying to access a site via IP in teh same manner, but if they try to go to http://google's.ip.address, will their machine pay any attention if a reply comes back from my local http server on 192.168.1.1? I know in a corporate lan scenario where you have a webserver with an internal ip and an external ip, you run two different dns servers on two different interfaces. I guess what I need is a DNS server that will proxy requests to either of two other DNS servers based on the machine making the query. **big question** Would adding a second address to the loopback device to the system (and only having the rules fwd to those addresses) solve the source-ip dilemma? (at least for the DNS, for the http the machine is still expecting a reply from some ip that is blocked). Is there any way you all can think of to have the server return a page when the user tries to access a site via IP (ala a transparent proxy). Any ideas, guys? I know this may be too complicated for the freebsd-questions list. I'm corssposting this to isp- for that reason. -- "You're a thucking reyer!" -Richard Bozzello, who believed tongue piercing was painless. --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message