This is a subject I see brought up from time to time on Usenet, mailing lists, etc. But either I loose the thread before it gets a good answer, or I missed it all together. The scenario is something like this:

A LAN, of whatever size, that uses a DHCP server to assign client IP addresses, feed info on DNS servers, whatever. Perhaps at a university dorm complex, or an apartment complex, or a business hotel that wants to offer high-speed internet jacks in the rooms. So they _have_ to let people randomly connect to the network, query the DHCP server, and subsequently, connect to the Internet.

The problem isn't w/ the honest people, the ones who pay for their access, and use it accordingly. The problem is w/ the ones who decide that thru a little shoulder surfing, they can access the net using their neighbors machine name. Or perhaps that they already know, either from a friend or whatever, the necessary info like name server addresses, gateway address, etc. They go right ahead and connect to the Internet, w/ relative impunity.

I've seen this topic come up for OpenBSD, Linux, hell, even WinNT 4.0. How do you limit the access out the firewall/gateway/router to legitimate accounts w/ valid IP's from the DHCP server? I've seen people mention doing something w/ the MAC addresses, assigning 'permanent' DHCP leases based on the MAC address, therefore requiring users to have previously registered their NIC's MAC address w/ the business office. But how do you tie that in to the firewall? It seems like it should be extremely easy, on first glance, but on second & third looks it seems more and more of a major PITA.

Any ideas or suggestions out there?

Monte

I'm sorry I don't have an answer. It is a interesting topic and I wouldn't mind reading some of the suggestions.

Linux is Linux. It's the kook behind the keyboard that makes or breaks it. Get off the my-distro-is-better-than-yours kick.

I just wanted to say, I couldn't agree more.

umm, instead of allowing open pass-through to the internet, use a proxy that requires login and password to get through. a little more complicated for people to get in, but would do the trick i think....

maybe you could have a proxy that prompts for a login/password before letting them out to the internet. though that would only work for http connections.

i know for my cable connection, the company needs to know the MAC address of your cable modem so that you are validated when you plug it in, maybe something similar could be done with some equipment coupled with the ethernet jacks in the rooms.

Well, I suppose I had better clear this up:

I personally don't have that problem here at home. Pretty much the only people that are going to be on my LAN are household members (don't think a burgurlar is going to break in just to surf the Net ;p ), so for better or worse, I have to trust them ;)

I just see the same problem posted every so often, and wonder if I am just not seeing the final solution, or what. Any idea how the cable company manages to restrict their net access to just legit machines? On the one hand, I don't encourage anyone to break the rules (bend, maybe. break, no). But what would happen if you swapped nics in that machine? Can you still get online, presuming that you wrote down the vital info (gateway, dns servers, netmask, IP range, etc) beforehand? Does it really stop you? I wonder how they do it?

Monte