Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 16 Aug 2005 08:50:40 -0500
From:      Greg Barniskis <nalists@scls.lib.wi.us>
To:        vladone <vladone@spaingsm.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: i can't block win98 computers
Message-ID:  <4301EF30.6060407@scls.lib.wi.us>
In-Reply-To: <1903531874.20050816105119@spaingsm.com>
References:  <534500571.20050815232810@spaingsm.com>	<20050815211711.GB70491@slackbox.xs4all.nl>	<430119B7.6040409@scls.lib.wi.us> <1903531874.20050816105119@spaingsm.com>

next in thread | previous in thread | raw e-mail | index | archive | help
vladone wrote:
> Thanks all for reply!
> Now:
> 1. i try to permit only good mac and deny any else but not work. Win98
> still have internet.
> 2. one solution is probably to block acces for win98 computers to any on port 53 and block in this
>  mode DNS service, but is a little strange this solution.

When a client just won't behave, sometimes the only solution is an 
ugly workaround. Or upgrading the client. We banned Win98 on our 
network (long before it was end-of-life) because of the load it 
placed on IT staff with its rotten stability and oddities. It was 
cheaper to upgrade the PCs than it was to dedicate support staff to 
applying bandages to Win98.

> 3. i dont understand  how work tcpdump. I used: #tcpdump -i fxp0,
> but a dont see all traffic and after close tcpdump i see an great
> number of packets dropped by kernel, without any rule for this.

This probably means that your CPU isn't powerful enough for the load 
you are putting on it with this particular task. I used to be able 
to effectively tcpdump our core LAN using a Pentium II, but that was 
a long time ago, and that laptop is now only suitable for sniffing 
on low density edge LANs. Short of upgrading, I'm sure there are 
things you can do to tune the tcpdump and kernel behaviors; search 
the archives for more information (or maybe someone will jump in 
here with the appropriate syntax).

If you have a smart switch, you should also be able to reflect all 
traffic onto one port and attach a separate sniffer device there 
instead of dumping on the firewall itself.

> 4. with "arp -a" i see and mac for win98 computers. I tried to delete
> entries in arp table for win98 hosts but nothing.
> 
> Is great if somebody have experience with this situation, or tested
> some solutions for this problem.

Another approach might be to use DHCP reservations (or, ugly, 
manually configured IP settings on each PC), and if possible, smart 
switch VLANs, to segregate Win98 clients onto their own subnet and 
simply filter by IP address.

-- 
Greg Barniskis, Computer Systems Integrator
South Central Library System (SCLS)
Library Interchange Network (LINK)
<gregb at scls.lib.wi.us>, (608) 266-6348



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4301EF30.6060407>