James McKenzie wrote: > On 3/20/11 5:39 PM, Chris Kloiber wrote: >> On 03/05/2011 03:58 AM, erikmccaskey64 wrote: >>> I have an OpenWrt 10.03 router [ IP: 192.168.1.1 ], and it has a DHCP >>> server pool: 192.168.1.0/24 - clients are using it through >>> wireless/wired connection. Ok! >>> >>> Here's the catch: I need to separate the users from each other. >>> >>> How i need to do it: by IPTABLES rule [ /etc/firewall.user ]. Ok! >>> >>> "Loud thinking": So i need a rule something like this [on the OpenWrt >>> router]: >>> >>> - DROP where SOURCE: 192.168.1.2-192.168.1.255 and DESTINATION is >>> 192.168.1.2-192.168.1.255 >>> >>> The idea is this. Ok! >>> >>> Questions! >>> - Will i lock out myself if i apply this firewall rule? >>> - Is this a secure method? [ is it easy to do this?: hello, i'm a >>> client, and i say, my IP address is 192.168.1.1! - now it can sniff >>> the unencrypted traffic! :( - because all the clients are in the same >>> subnet! ] > If you want to stop sniffing of the unencrypted traffic, then IPTables > IS NOT THE WAY TO GO. You should either remove the sniffer program or > make it so that only users with root capabilities can run it (sudoers > should not have the program in it.) >>> - Are there any good methods to find/audit for duplicated IP addresses? >>> - Are the any good methods to find/audit for duplicated MAC addresses? > arp should dump the entire cache. > > There should be a method to do the same thing for IP addresses? > > Looks like you have a larger problem than what you are looking at. If > you are a security specialist, then you should know all of the tools you > have at your disposal to find and destroy the bad nasties in your own > network (hint, if you are running a Linux based router, they are there.) > I think the problem is that clients see each other's packets and run the sniffer on the client. The way to avoid that is to encrypt all packets. Handing out a 2 bit subnet from dhcp only helps if the bad guys use it. They generally sniff every packet they can see, or at least that has the AP IP address as source of dest. I still think arpwatch is the first tool, but security is not in getting rid of bad guys, it's making the good guys paranoid enough to practice safe net. -- Bill Davidsen <davidsen@xxxxxxx> "We have more to fear from the bungling of the incompetent than from the machinations of the wicked." - from Slashdot -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
