[Gllug] DHCP/Firewalls

Xander D Harkness xander at harkness.co.uk
Thu Aug 23 19:56:03 UTC 2001


Can we take this one stage further.

We have a w2k terminal server farm, upon which we allow external clients 
access.

The Windows guys want to implement a firewall between the farm and the 
rest of our network based on users and groups to keep our clients 
outside the rest of our network. (Their thinking is that if they find an 
exploit they cannot access the rest of our network - my thinking is that 
the most common exploit sought is for admin user - which blows away the 
firewalling rules.  However assuming they find a hole and it is not 
Administrator access.....)

I am told that there is a product that does this (not sure of the name) 
but prob windows (secure, errm no!).

I would really like to solve this with Linux and I am sure that it is 
possible, but I do not know enough about the information coming out of a 
windows box.  ie does it give user or group info when running telnet?

Kind regards
Xander

David Damerell wrote:

> On Thursday, 23 Aug 2001, Paul Brazier wrote:
> 
>>>Don't forget to pick a random subnet of 192.168.* and not 
>>>just 192.168.1/24.
>>>
>>Why is this?
>>
> 
> RFC1918; basically, it's to minimise the possibility of a clash if you
> merge with another RFC1918 network. More common than you might think;
> frex, several of the Cambridge geekhauses are now on a single VPN,
> although you would never expect it to be an issue for home networking.
> 
> Since naive people will often pick 192.168.0/24 or 192.168.1/24, it's
> wise to pick a range between 192.168.2-254/24, since then you won't
> clash with them and are unlikely to clash with non-naive people.
> 
> 10/8 is a bad choice, since you clash with anyone else using any
> subset of network 10; unfortunately, enough naive people use 10/8 that
> any subnet of network 10 is a bad choice, too.
> 
> Of course, 192.168/16 is an even worse choice; if you really need more
> than 254 IP addresses in a private network, a /23 or /22 subnet of
> 192.168 or better yet one of the reserved class B [1] ranges in the
> 170s (selected at random) will do.
> 
> [1] Don't tell me classes are dead, you know what I mean.
> 
> 



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list