Rüdiger Meier wrote:
On Thursday 17 November 2011, James Knott wrote:
Also, a router normally passes all valid addresses from a subnet, unless specifically configured not to. As an example, my firewall/router here is a Linux box. For me to limit what addresses can pass through it, I'd have to use the iptables rules to block some addresses.
Yes and what's wrong with using iptables? Only incompetent network admins are using iptables or what?
My point was not about iptables, but rather I'd have to take specific actions to limit what addresses are passed/blocked by the router.
But I, as a network admin, can expect my users to comply with the rules I've set up for the network, so it's their problem, either they want access or they don't. Now wouldn't it be greatly helpful if you/your system could*easily* adapt to these rules?
If your rules don't allow normal, out of the box, behaviour, then your rules are wrong, unless you're prepared to configure every computer to comply with them.
That's simply not true. If you would plug your box into my network here then I would not route anything from you regardless which IP you are using. This is what I'm doing here and I consider it right because I don't want clients like you using my net.
Get a computer running Windows 7 and plug it into your network without modification and see what happens. This is what is happening all over the world. If your network config blocks this, then you have a big problem of your own creation. You either change the network rules or you change all the computers on your network. Your choice.
This is most definitely not a user issue as most users wouldn't have a clue about it. As a network admin, I'd expect you to know the implications of what you do. Blocking addresses that are not based on the MAC is not a suitable policy,
How you know the policies and requirements of Lew's network?
in that, by default, later versions of Linux& Windows provide both MAC based and random IP addresses..
Neither windows nor linux client _provides_ the address but the owner of the net you want to be part of.
The network provides the most significant bits (the subnet address only). The host portion of the address is provided by the computer, unless DHCP is used. The host portion may be determined by MAC address, random number or, as in this case, both. In Windows 7, run ipconfig and tell me what you see w.r.t. IPv6 addresses. You will see an IPv6 address based on the MAC, a temporary IPv6 address based on a random number, a link local address starting with FE80 and a Teredo tunnel address, unless it has been disabled. Both the MAC and random addresses will be valid on your subnet.
BTW back to Lew's problem ... Reading his last posting you see that obviously he has no problems to access the net. Network admin just told him to not use random addresses or they _will_ block him soon. (If got it right.)
That's also my impression and it means they will be blocking Windows 7 (and other later Windows versions) too. Use Wireshark to take a look at what happens when you, for example, connect to a web site. It will identify your computer by the temporary address, whether in 12.1 or Windows 7. You will not see the MAC based address, unless some other computer connects to yours. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org