[K12OSN] K12OSN Digest, Vol 80, Issue 17

Sean Harbour SHarbour at nwresd.k12.or.us
Wed Oct 27 17:59:21 UTC 2010 

You could modify the iptables rules to block unknown MAC addresses. This will only work if there is no router between the server and clients.  Anybody able to spoof the MAC from a thin client would still have access, however setting this up shouldn't take too long and should serve the purpose of discouraging casual misuse of the thin client network cables.

Here's a link to a discussion on the matter with some examples. I don't have a specific script to recommend.

http://www.linuxquestions.org/questions/linux-security-4/desperate-iptables-block-users-by-mac-address-125661/

Sean 

________________________________________
From: k12osn-bounces at redhat.com [k12osn-bounces at redhat.com] On Behalf Of k12osn-request at redhat.com [k12osn-request at redhat.com]
Sent: Wednesday, October 27, 2010 9:00 AM
To: k12osn at redhat.com
Subject: K12OSN Digest, Vol 80, Issue 17

Send K12OSN mailing list submissions to
        k12osn at redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.redhat.com/mailman/listinfo/k12osn
or, via email, send a message with subject or body 'help' to
        k12osn-request at redhat.com

You can reach the person managing the list at
        k12osn-owner at redhat.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of K12OSN digest..."


Today's Topics:

   1. Re: Local apps question (Burke Almquist)
   2. Re: Local apps question (Lewis Holcroft)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 Oct 2010 18:37:31 -0500
From: Burke Almquist <burke at thealmquists.net>
To: "Support list for open source software in schools."
        <k12osn at redhat.com>
Subject: Re: [K12OSN] Local apps question
Message-ID: <506CA108-7F20-40D1-819B-422162628D0E at thealmquists.net>
Content-Type: text/plain; charset=us-ascii

You could set up your dhcp server to only give out addresses to known clients by mac address, but I guess technically I guess they could still use a static ip, netmask, and gateway.
You'd have to set up a non-transparent proxy if you want to block internet access for PCs.

On Oct 26, 2010, at 12:14 AM, Joseph Bishay wrote:

> Hello,
>
> I hope everyone is well.
>
> I am interested in setting up local apps on Edubuntu.  I understand
> that when I activate the local apps option, one thing I must do is set
> up the server so it transmits the Internet through to the thin clients
> (I am running a two-NIC server setup).
>
> My question is, if someone unplugs the thin client network cable from
> the wall, and plugs in their own laptop, will then then be given an IP
> address by the server and given Internet/network access? If so, is
> there a way to stop this?
>
> Thank you
> Joseph
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>




------------------------------

Message: 2
Date: Tue, 26 Oct 2010 20:29:15 -0400
From: Lewis Holcroft <lewis at pcc.com>
To: "Support list for open source software in schools."
        <k12osn at redhat.com>
Subject: Re: [K12OSN] Local apps question
Message-ID: <B343EE00-1CF8-4110-B4C5-C9AD91908BDC at pcc.com>
Content-Type: text/plain;       charset=us-ascii

Assuming you have set up dhcp as below and you still have issues. Depending on your switch and the amount of time you want to spend managing the the issue. You can bind the thin client MAC to the port on the switch. Then have the port only talk to that MAC. This can be done centrally with FreeRadius. While I found this can be done. It was a great deal of effort to get working.  In the end we posted our policy that states you do not unplug stuff and if you do you will be chastised in various ways.

Lewis



On Oct 26, 2010, at 7:37 PM, Burke Almquist <burke at thealmquists.net> wrote:

> You could set up your dhcp server to only give out addresses to known clients by mac address, but I guess technically I guess they could still use a static ip, netmask, and gateway.
> You'd have to set up a non-transparent proxy if you want to block internet access for PCs.
>
> On Oct 26, 2010, at 12:14 AM, Joseph Bishay wrote:
>
>> Hello,
>>
>> I hope everyone is well.
>>
>> I am interested in setting up local apps on Edubuntu.  I understand
>> that when I activate the local apps option, one thing I must do is set
>> up the server so it transmits the Internet through to the thin clients
>> (I am running a two-NIC server setup).
>>
>> My question is, if someone unplugs the thin client network cable from
>> the wall, and plugs in their own laptop, will then then be given an IP
>> address by the server and given Internet/network access? If so, is
>> there a way to stop this?
>>
>> Thank you
>> Joseph
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>



------------------------------

_______________________________________________
K12OSN mailing list
K12OSN at redhat.com
https://www.redhat.com/mailman/listinfo/k12osn

End of K12OSN Digest, Vol 80, Issue 17
**************************************

More information about the K12OSN mailing list