Topic: keep users from changing IP addr

[Steve]

I'm am currently planning to install
e-smith in a high school.  I will use
SquidGuard for content filtering and
allow administration open access.
What can I do to keep students from
changing the IP address of a student
computer to the IP address of an
office computer?  (this would allow
students to have unrestricted internet
access)

E-smith v5.1.2- 10.0.0.254
Office IP: 10.0.0.1-10.0.0.30
Students: 10.0.0.31-10.0.0.253

Also, is it possible to use a Class B
subnet with e-smith?
10.0.0.0/255.255.0.0
So that computers could have addresses
of 10.0.4.1 and 10.0.5.1, etc.

Thanks

[Jonathan]

If it were me, I'd think seriously about keeping the two groups on physically seperate subnets.  That way you could control the access of the students at the router from their subnet.  Because you actually control what's on the wire, they cannot gain privileged access by changing IPs.  You can use any content filters you want at the router, and block any illegal, out of range IP addresses from getting anything.

There should be no reason why you can't use class a, b or c networks with e-smith as long as you specify the correct netmask to go along with it.  I haven't tried this myself, but because it's based on standard redhat, should be no problem.

Jonathan

[Duncan]

Steve wrote:

> Also, is it possible to use a Class B
> subnet with e-smith?
> 10.0.0.0/255.255.0.0
> So that computers could have addresses
> of 10.0.4.1 and 10.0.5.1, etc.

Using this subnet mask will not separate the networks. It equates to around 65000 ip adresses (it is a complete class B network - note that the addressing scheme you propose is actually a private class A network)

Use 255.255.255.0. You would need a router between the two networks with the e-smith machine sitting on one segment. You might also use the e-smith machine to handle your routing. If one of the kids changes to the other network range their machine simply wont function on the lan. The better method might be to base your set up using mac addresses, but i dont know squid so i dont know if you can. It would also be a nightmare to administor for big lans.

Having said this, i would guess your question refers to the fact that some kids are computer smart. Whats to stop them disabling the proxy server settings and bypass squidgard ?

Regards Duncan

[Steve]

I was afraid separating the networks completely would be the only solution other than recording all of the MAC addresses.  I know MAC addresses can be spoofed under *nix, and I'm sure there's probably a way of doing it under windows.  The main reason that I did not wish to separate the networks is because the network was wired with the student/staff computers mixed.



>Using this subnet mask will not separate the networks. It equates to around >65000 ip adresses (it is a complete class B network - note that the addressing >scheme you propose is actually a private class A network)

Actually, my question concerning subnet's was unrelated.  I just wondered if e-smith would support a 255.255.0.0 or 255.0.0.0 so that I can, in fact, have more than 254 computers/ip's available.

>Having said this, i would guess your question refers to the fact that some kids >are computer smart. Whats to stop them disabling the proxy server settings and >bypass squidgard ?

I have not yet tried it, but I was under the interpretation that e-smith forced all requests through squid (i.e., transparent proxy).

It is my understanding that the best solution would be the following:

                            internet
                                |
                             router
                                |
                  |-------------+-------------|
             e-smith1                 e-smith2


Thanks for your comments!

[Duncan]

I have an interest in this as i offering this type of set up to my customers.
Your diagram shows two e-smith boxes. Any particular reason for using two machines?

Regards Duncan

[Steve]

Duncan,
  I am implementing e-smith in a high school and
am using SquidGaurd to filter websites.  However,
I want certain staff computers to have access to
websites that are blocked by SquidGaurd (such as
hotmail which I do not want students accessing).
The option to allow certain IP's full access is
available for SquidGaurd, but I believe this could
be bypassed by a student changing the IP of their
computer to an IP of a staff comptuer which would
allow them unrestricted access.  
   I believe separating the networks using 2 e-smith
machines would eliminate the problem of students
being able to change IP's.  They can still change
IP's but will not gain access to inappropriate websites
if on a separate network.
  Any comments/suggestions from you would be
greatly appreciated.

Thanks

[Pierre Coetzer]

Hi there

I've used squid auth, with two password files. 1 for unestricted browsing and one for limited browsing. So it doesn't matter what the IP address is, it only checks for username and password.

[Duncan]

I would probably look in to the post from Pierre as it seems to present an ideal solution.

My reference to the two machines was along the lines of simply adding a third nic to the e-smith1 machine and setting it up as a seperate network segment. All users can file share from the same machine, access e-mail and browse the internet but are seperated making your end result simpler (set up WINS for browse lists).

There is a howto which is fairly easy to follow.
http://www.e-smith.org/docs/howto/contrib/net_card.html

Having said that, i would still persue the previous post.

Regards Duncan

[Steve]

Pierre -
  How are users authenticated?  I have heard of proxy authentication but have never used it.  Do you configure the browser to login to the proxy or will it prompt for a password?  Are there any How-To's available?

Ducan-
  I don't know why I didn't think of such a solution.  That sounds like a great idea.  I will definitely consider that.  With a little bit of planning, I'm pretty sure I could get it to work

I will try both of these methods and see what I can get to work.  Thanks for your suggestions!

[Duncan]

Glad to help.

I have set up a few simple routers in this manner for various reasons. The one thing you will need to sort out is dhcp manually on the additional nics (if you need it).

My next trick is to get a couple of boxes talking via some zoom wireless network cards. These things bang out a fair distance with some directional antennas. That would be a nice solution for some of my customers.

Anyway, Good luck.

Regards Duncan