Date: Tue, 17 Aug 1999 10:57:37 -0400 From: Christopher Michaels <ChrisMic@clientlogic.com> To: "'support@junglenote.com'" <support@junglenote.com>, "'mkc@Graphics.Cornell.EDU'" <mkc@Graphics.Cornell.EDU> Cc: Jamie Norwood <mistwolf@ethereal.net>, freebsd-questions@FreeBSD.ORG Subject: RE: dhcpd Message-ID: <6C37EE640B78D2118D2F00A0C90FCB4401105B92@site2s1>
next in thread | raw e-mail | index | archive | help
Ok, I have to chime in on this one. see below. > -----Original Message----- > From: Dan Larsson [SMTP:support@junglenote.com] > Sent: Tuesday, August 17, 1999 3:27 AM > To: 'mkc@Graphics.Cornell.EDU' > Cc: Jamie Norwood; freebsd-questions@FreeBSD.ORG > Subject: SV: dhcpd > > > Yes it is, but keep reading. He confirmed my guess about wanting it to > > prevent servers. Really all it does to people who want to run a server > > is annoy them. Meanwhile it annoys your friendly non-abusing users as > > well. Not what I would consider a good idea. Not long ago I met a guy > > who was running a web server on a machine using dhcp. He had a friend > > running his DNS service and every time his IP address changed he just > > sent the new address to his friend who updated his DNS and he was back > > in business. Of course this works best if both you and your friend > > spend all your time on the net... > > How does this bother the 'friendly non-abusing user'? I've never seen, > even m$ > boxes included, die from having their ip address changed with or without > dhcp. > You must mean something else, right? > I believe what is meant is that any active connections will just stop responding when the IP address is changed from under them. I can see it now, I'm downloading the new service pack to my crappy WordPerfect 9, it gets through 20MB of the 36MB patch, and *BOOM*, IP address changes and the connection drops, forcing me back to square 1. That's an extreem example, what if someone's on ICQ, or playing an online game, etc, etc.. This would end up alienating your 'good' customers more than it would the 'bad' ones. I know I would switch isp's in a heartbeat (if this is an isp we're dealing with), unreliable service is unacceptable when that service is being paid for, and from a customer's point of view, this would be un-reliable service. On the same tolken, what kind of a lease time are we talking about? 2hrs, 12hrs, 24hrs? > And as I mentioned earlier, from the clients point of view it's much > easier just to > apply for a static address. > The other solution would be to deny access to all and punch holes in the > fw for > every client allowed. This works. I know. But the rules table for the > firewall grows > to monolithic proportions, understandably due to the myriad of available > software > applications. > This has it's down sides as well. You'd have to put SO many holes in this firewall it'd be crazy. My current internet connection is through a local university, and they block ALL incomming connections except on port 113 (ident). I can't tell you how much trouble this causes me. ICQ doesn't work right, I can't play most online games, simple things like a DCC chat on IRC doesn't work, netmeeting doesn't work, the list goes on. I understand what you are trying to do, stop people from abusing the system and putting up static servers on a dynamic connection. Even the idea of blocking well known ports would be undesirable because the people you want to stop are, for the most part, smart enough to not use a standard port. Personally I am against any solution that punishes the good users to stop the few bad users. I personally feel the best solution would be to keep logs of connection time and bandwidth, and have something alert you to problem users, people with long uptimes and alot of outgoing bandwidth. But then again, this is only my opinion. > A second alternative which is similar to the above. And it's setting > bandwidth > rules for every ip in the scope. Which also works, but sets the problem > out of > focus. > The most desireable solution from my point of view would be to deny > regular > ip datatypes (http-data etc) from the internet to the clients. e.g. to > deny a request > from the internet to access any ip resource on the client side. And from > there > punch holes to allow access to certain ips to be accessed from the > internet. > This I do not know how to do. If someone does please let me know. > > /D > As I said earlier, this is more trouble than it's worth, there are a good number of programs that use random/dynamic port numbers. Granted some can be restricted, such as ICQ and mIRC, but others cannot (netmeeting). And again, let's say you open up ports 4000-5000 for ICQ users, what's to stop your "bad" user from just putting a server on that port. Another viable option would be to do regular port scans on your users, but anyone using a *NIX based system will easily be able to detect and block those (unless you use a utility such as nmap, and use it's stealth mode). This is getting rather complicated tho. One last thing, since most of the original posting was chopped off, I'm going on some assumptions. I am assuming that this is in an ISP situation where you have dialup users with dynamically assigned IP addresses. If this is in a corporate situation, then you can throw most of what I said out the window. In a corporate situation I'm all for the restrictive firewall, I still thing changing the IP out from under them is a bad idea. We have applications in the company where I work, that run over the network, if my IP were to change mid-stream that would greatly reduce my productivity. -Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C37EE640B78D2118D2F00A0C90FCB4401105B92>