[Rack] [Noisebridge-discuss] network down this afternoon, an interesting guide for people who want to help when the network goes down

Nick Owens mischief at offblast.org
Tue Jun 5 22:38:18 UTC 2012


Can't we whitelist the real dhcp server on udp port 68, and drop packets on
the lan whose source port is 68 and not on the whitelist?

On Tue, Jun 5, 2012 at 3:27 PM, John Adams <jna at retina.net> wrote:

> One thing that we do is to put a blanket ACL across untrusted networks.
>
> Block UDP 0.0.0.0/0 port 67 and port 68 from your LANs and from any
> source that shouldn't be offering DHCP.
>
> -john
>
> On Tue, Jun 5, 2012 at 1:40 PM, Jonathan Lassoff <jof at thejof.com> wrote:
>
>> On Tue, Jun 5, 2012 at 12:44 PM, Ben Kochie <ben at nerp.net> wrote:
>> > We could easily separate some of the services off of the one NAT box.
>> >
>> > I've thought about setting up a synced virtual router on stallion using
>> > failoverd and vyatta's NAT state sync.
>> >
>> > It would also possibly make sense to put the local DHCP/DNS services on
>> a
>> > separate instance from the NAT handling.  We can easily do this with
>> some
>> > virtual machines on stallion.  Or we could move some of these services
>> to
>> > minotaur.
>>
>> I think there is some value to keeping all of the network functions on
>> something that is mounted to the "Wall-O-Tubes". This way, there is a
>> clear distinction as to what hardware is the bare-minimum necessary to
>> keep basic services working.
>>
>> Perhaps we could:
>>  - add another soekris or atom board
>>  - Wire up some 2.4 Ghz APs to the W.O.T. (there is/was a 5 ghz one)
>>  - Setup all downstream distribution through that Juniper EX, setup
>> DHCP-based port security protections
>>
>
>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/rack/attachments/20120605/fa88ff61/attachment.html>


More information about the Rack mailing list