From owner-freebsd-questions@FreeBSD.ORG Tue Sep 28 17:19:29 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1933616A4CE for ; Tue, 28 Sep 2004 17:19:29 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 978F043D45 for ; Tue, 28 Sep 2004 17:19:28 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) i8SHJIq41805; Tue, 28 Sep 2004 10:19:19 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Eric Crist" Date: Tue, 28 Sep 2004 10:19:18 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: <984880D8-1153-11D9-94B7-000D9333E43C@secure-computing.net> Importance: Normal cc: bsdfsse cc: russell cc: "freebsd-questions@FreeBSD.ORG" Subject: RE: IP address conflicts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2004 17:19:29 -0000 > -----Original Message----- > From: Eric Crist [mailto:ecrist@secure-computing.net] > Sent: Tuesday, September 28, 2004 6:38 AM > To: Ted Mittelstaedt > Cc: russell; bsdfsse; freebsd-questions@FreeBSD.ORG > Subject: Re: IP address conflicts > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > For what it's worth, aside from some reconfiguration that could be a > little time consuming, I would suggest putting the servers on a > different subnet that everything else. If all the computers that are > not servers are supposed to be configured for DHCP, insert a FreeBSD > box that filters out any addresses outside that subnet. > > i.e. Server IP addresses are all 192.168.1.0 thru 192.168.1.50. Set > your DHCP server to only assign IP addresses above 192.168.1.75 and up > or so. I'm too lazy to do the math right now, but use the appropriate > subnet mask and filter all the other stuff out. Aside from those > students disrupting some of the other users on the network, they can't > spoof the servers anymore. > No, they just spoof the IP address of the router that the servers are behind, and accomplish exactly the same goal. It actually makes it easier because instead of multiple servers and multiple IP numbers the attackers need to spoof, they only now need spoof 1 IP number - that of the router the servers are behind. Ted