[TriLUG] MAC-based web blocking

jason at monsterjam.org jason at monsterjam.org
Tue Sep 12 08:45:34 EDT 2006


http://cr.yp.to/djbdns.html

Jason

On Tue, Sep 12, 2006 at 08:38:04AM -0400, Brian Henning wrote:
> Heh.  Yeah, except we don't currently do in-house DNS (though 
> eventually, if I ever have time for hobby projects like that, I would 
> love to set it up..)
> 
> ~B
> 
> Shawn William Taylor wrote:
> >Why don't you use an IP rule based on their DNS entry?
> >They shouldn't be able to figure that out.
> >
> >Unless they monitor this list!
> >
> >:)
> >
> >shawn
> >
> >
> >
> >
> >
> >"Aaron S. Joyner" <aaron at joyner.ws> 
> >Sent by: trilug-bounces at trilug.org
> >09/11/2006 08:09 PM
> >Please respond to
> >Triangle Linux Users Group discussion list <trilug at trilug.org>
> >
> >
> >To
> >Triangle Linux Users Group discussion list <trilug at trilug.org>
> >cc
> >
> >Subject
> >Re: [TriLUG] MAC-based web blocking
> >
> >
> >
> >
> >
> >
> >Brian Henning wrote:
> >
> >>The reason I don't want to use IP-based rules is that our problem 
> >>users are probably resourceful enough to try resetting their IPs.
> >>
> >>But yeah, I was already on that track; glad to have some encouraging 
> >>suggestions. :-)
> >>
> >>Thanks!
> >>~B
> >
> >So I'm like 5 days late in replying to this... but do you think they're 
> >not also resourceful enough to change their MAC addresses?  You could do 
> >it by switch port if you're feeling particularly script-happy (and have 
> >basic managed switches), but what keeps them from plugging into a new 
> >switch port?  If you're feeling like doing it right, use a managed 
> >switch and 802.1x to lock them into a separate VLAN, from which 
> >controlling access is a simple matter of only allowing http through 
> >squid from the subnet associated with that VLAN.  Anything else just 
> >helps you sleep better at night, thinking you've actually achieved some 
> >controls they can't get around.  But perhaps sleep or plausible 
> >deniability is all you're really after.
> >
> >Aaron S. Joyner
> 
> -- 
> ----------------
> Brian A. Henning
> strutmasters.com
> 336.597.2397x238
> ----------------
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

-- 
================================================
|    Jason Welsh   jason at monsterjam.org        |
| http://monsterjam.org    DSS PGP: 0x5E30CC98 |
|    gpg key: http://monsterjam.org/gpg/       |
================================================




More information about the TriLUG mailing list