From owner-freebsd-questions@FreeBSD.ORG Mon Sep 27 04:16:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2C8516A4CE for ; Mon, 27 Sep 2004 04:16:50 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6150643D5C for ; Mon, 27 Sep 2004 04:16:50 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) i8R4Ghq34354; Sun, 26 Sep 2004 21:16:43 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Tim Aslat" , "freebsd-questions@FreeBSD.ORG" Date: Sun, 26 Sep 2004 21:16:43 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: <20040927085147.7b2d8575@bofh.spyderweb.com.au> Importance: Normal Subject: RE: IP address conflicts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2004 04:16:51 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Tim Aslat > Sent: Sunday, September 26, 2004 4:22 PM > To: freebsd-questions@FreeBSD.ORG > Subject: IP address conflicts > > > Hi All, > > I have an annoying situation in a school I do casual work in their IT > department. There are a number of individuals within the system who > think it's funny to allocate an IP address on a workstation identical to > the network's proxy/web/mail servers. I assume that these individuals are NOT the owners of the systems that they are changing the IP numbers on. > What I'd like to know is, would > there be any way of preventing this short of spending quite a lot of > money on managed switches an the like? > Yes. See below. In any case, first thing is I think you need to have a chat with the Dean. Your not going to solve this problem until you do 2 things: 1) Make it clear that anyone caught doing this will be immediately expelled. 2) Catch and expell a few of them. What they are doing is basically identical to making the web/proxy/mail servers crash and the penalties should be as severe. > I'm unable to restrict access to settings on the machines, as they are > notebooks owned by the students/staff and could be legitimately plugged > in anywhere in the network. > Once again, I must assume that these notebooks legitimately owned by students and staff are NOT owned by the people that are changing the IP numbers. If you have a situation where you KNOW who is doing it, and they are getting away with this, with the full knowledge of the Dean and others in the college, then you may as well just start looking for another job. If I was in your shoes I would. Now also, keep in mind that expensive managed switches ARE the way to handle this. However, you need not break the bank. There are MANY excellent quality managed switches on the used market. For example the 3com Desktop 3300 is a fine specimen. It was manufactured back in the days of 3com's lifetime warranty so even if you find one for sale for $20 that has a blown power supply, buy it! Also, if you are a bona-fied school, contact some of the switch vendors, they may make a deal with you under the table. Now, if you are going to say FUCK THIS and totally ignore my advice with regards to the switches, then fuck you too asshole. However, I will be kind enough to tell you a horrible hack, gagging disgusting completely unprofessional band-aid that you should be ashamed to do, that you can do. And if you ever were being interviewed by me for a job interview and you mentioned this, I would tell you to leave, then go throw up for being reminded that there are people in the world that are too lame to stand up for doing things right the first time. What you merely do is go around to ALL of the machines on the network that need to get to the proxy/web/mailservers and put in static ARP entries for the MAC addresses of the legitimate servers. Then when your little friends try their trick, nobody is going to notice it, except of course for the machine that they make their modification to. After a semester or two the kiddies will give up and you won't have to do this anymore. Ted