Date: Tue, 16 Aug 2005 08:50:40 -0500 From: Greg Barniskis <nalists@scls.lib.wi.us> To: vladone <vladone@spaingsm.com> Cc: freebsd-questions@freebsd.org Subject: Re: i can't block win98 computers Message-ID: <4301EF30.6060407@scls.lib.wi.us> In-Reply-To: <1903531874.20050816105119@spaingsm.com> References: <534500571.20050815232810@spaingsm.com> <20050815211711.GB70491@slackbox.xs4all.nl> <430119B7.6040409@scls.lib.wi.us> <1903531874.20050816105119@spaingsm.com>
next in thread | previous in thread | raw e-mail | index | archive | help
vladone wrote: > Thanks all for reply! > Now: > 1. i try to permit only good mac and deny any else but not work. Win98 > still have internet. > 2. one solution is probably to block acces for win98 computers to any on port 53 and block in this > mode DNS service, but is a little strange this solution. When a client just won't behave, sometimes the only solution is an ugly workaround. Or upgrading the client. We banned Win98 on our network (long before it was end-of-life) because of the load it placed on IT staff with its rotten stability and oddities. It was cheaper to upgrade the PCs than it was to dedicate support staff to applying bandages to Win98. > 3. i dont understand how work tcpdump. I used: #tcpdump -i fxp0, > but a dont see all traffic and after close tcpdump i see an great > number of packets dropped by kernel, without any rule for this. This probably means that your CPU isn't powerful enough for the load you are putting on it with this particular task. I used to be able to effectively tcpdump our core LAN using a Pentium II, but that was a long time ago, and that laptop is now only suitable for sniffing on low density edge LANs. Short of upgrading, I'm sure there are things you can do to tune the tcpdump and kernel behaviors; search the archives for more information (or maybe someone will jump in here with the appropriate syntax). If you have a smart switch, you should also be able to reflect all traffic onto one port and attach a separate sniffer device there instead of dumping on the firewall itself. > 4. with "arp -a" i see and mac for win98 computers. I tried to delete > entries in arp table for win98 hosts but nothing. > > Is great if somebody have experience with this situation, or tested > some solutions for this problem. Another approach might be to use DHCP reservations (or, ugly, manually configured IP settings on each PC), and if possible, smart switch VLANs, to segregate Win98 clients onto their own subnet and simply filter by IP address. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) <gregb at scls.lib.wi.us>, (608) 266-6348
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4301EF30.6060407>