Bryan J Murrel wrote:
> from the quill of morgan @
edu (Wes Morgan)
> > When presented with this problem (in an educational environment, no less;
> > lots of folks keen to play with config files), we simply required (read:
> > dictated) that any TCP/IP apps had to come from the server. On the ser-
> > ver, all apps/config files were read-only configured for BOOTP.
> Yes, that's what we do as well, but it does not prevent somebody
> knowlegable enough from chaning the TCP/IP config from getting the IP
> address from a bootp packet to "user entered" with the software we use.
> How do manage to prevent that kind of change??
We're considering the use of a small wedge that hooks the packet
drivers we have on our PC's. It would act as a simple outgoing
packet filter, and drop any packet that doesn't match our
requirements, i.e. "doesn't have this PC's IP address" or "uses port
666", and give the calling program a no error reponse. Besides
prevention of internal IP spoofing, it would have other uses:
1. Doom control (our motivation)
2. Would prevent accidental routing around your firewall by someone
with a modem.
I don't know how this would work with BOOTP, but someone out there
may have suggestions.
Ramon De La Cuetara
Universidad Interamericana de Puerto Rico, Departamento de Quimica
Tel. (809) 250-8379 cuetara @