SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm currently negotiating with the IT manager of a big school in Nīmes. He wants to resolve a series of problems. Most of them (like traffic shaping, web content filtering) I know how to deal with, but one question is puzzling me. Is there a way to block smartphones like iPhones from connecting to the school's wifi? On their current hardware (a simple router) every smartphone appears as "iphone2". This router will eventually be replaced by a Slackware gateway/firewall/proxy/filter. DHCP, DNS, NTP and all services will run on this Slackware server.
Any idea if something like that would be possible?
Distribution: Slackware 14 (Server),OpenSuse 13.2 (Laptop & Desktop),, OpenSuse 13.2 on the wifes lappy
Posts: 781
Rep:
300 is not really very many static IPs to hand out and is a pretty simple function for the IT department to manage.
Maybe you should offer to do this for them, for a fee of course and continue to offer consultancy for new and leaving students to keep a tight control on ip allocations. You might even sell it to them as a value added service.
I'm currently negotiating with the IT manager of a big school in Nīmes. He wants to resolve a series of problems. Most of them (like traffic shaping, web content filtering) I know how to deal with, but one question is puzzling me. Is there a way to block smartphones like iPhones from connecting to the school's wifi? On their current hardware (a simple router) every smartphone appears as "iphone2". This router will eventually be replaced by a Slackware gateway/firewall/proxy/filter. DHCP, DNS, NTP and all services will run on this Slackware server.
Any idea if something like that would be possible?
BSD packet filters can do OS fingerprinting to block based on source operating system. I'd be surprised if netfilter didn't have something similar, although when it comes to firewalls I stay as far away as possible from the Linux netfilter mess, so I'm afraid I can't be of any more use to you.
I would let everyone register their laptop, so that you know all allowed laptop MAC addresses.
You can then add host definitions (with pre-defined IP addresses for the registered MAC addresses) for all these computers to your server's dhcpd.conf and put all of them in one pool definition.
All other DHCP clients (the 'unknown' ones) get a separate pool, including characteristics like separate IP address ranges, another default gateway, and perhaps traffic routed through a caching and filtering (transparent) proxy.
Put the IP ranges for the 'unknown' devices in a separate VLAN if the switches support it, and apply different QoS for the unknowns so that registered clients have better speeds, different or no internet filters, and lower latency.
Yes, MAC addresses can be spoofed, but actually if a student can pull that off, I'd know I had to watch him better. You can write some scripts that connect (using nmap for instalce) to IP addresses of registered computers and perform OS fingerprinting on all of them. Then highlight the ones that show non-Slackware or non-Windows OS and talk to the kids to whom the MAC address is registered to.
With some creativity you can set up a system that needs minimal support (you can write a web form to add or delete hosts to the DHCP server configuration and leave the administration to the school's IT manager).
Lets be pragmatics... Do it PPPOE over WLAN. Combine it MAC checking. You got am user/password? First time when you are connected, your MAC is matched with them.
Everyone have an user and password. If one of them make that information public, you/they have an ass to kick.
Last edited by Darth Vader; 02-08-2014 at 03:36 PM.
I would let everyone register their laptop, so that you know all allowed laptop MAC addresses.
You can then add host definitions (with pre-defined IP addresses for the registered MAC addresses) for all these computers to your server's dhcpd.conf and put all of them in one pool definition.
I'm already using a similar setup in two smaller schools here. While on paper it seems an elegant solution, in everyday's practical life it is quite time-consuming.
I'm already using a similar setup in two smaller schools here. While on paper it seems an elegant solution, in everyday's practical life it is quite time-consuming.
Not really time-consuming if you put some effort into automating things. I use something similar in smaller network (~200 users) and apart time spent on building and testing it first, it just works without any extra involvement. Whole "system" consist of one server with web aplication where you can register people and computers, database server and router (Slackware of course) with simple application that create new iptables and dhcpd config from template with data from database, replace actual config files and reload iptables and dhcpd rules. It's event based so rules are reloaded only when needed (no cron involved).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.