On Monday 10 March 2003 09:59, Phil Driscoll wrote:
You may find that you are in breach of your agreement with the council as ISP if you do this. Unless you are very careful about how you set things up - which you probably will be because you are on this list :) - you could easily provide an simple route through your ISDN for an attacker to access the entire LEA network. I believe that some schools in Leeds (where the LEA provided access is limited like yours) have been stamped on for this.
The ISDN router is firewalled externally and by our linux box and we're not connected directly to the LEA network but we can see some of the schools' networks if they have services running on certain ip's. That seems more scary. ;)
Your setup as you describe it seems terribly wasteful of bandwidth into the school. Surely a much better arrangement would be to have all your internal network machines pointing to a proxy server in school and this should be the only machine with routing to the LEA network.
Sorry maybe I didn't go into enough detail before. Both linux boxes are running as proxies, the council one also does filtering as they can't seem to do it properly. We originally had the gateway set to the isdn and the browsers' proxy settings looking at our proxy on the bb gateway. This was working well apart from some of the users profiles weren't pulling the proxy settings down. Our solution was to changed the gateway to also point to our bb proxy and use transparent proxying on it. This works great now for filtering but not good for anything else. The only other things we need is smtp and pop3, which the council are supposed to provide. SMTP is there but pop3 will only let you collect from the internal mail servers. Maybe I should a) badger the council to let us get external pop3 b) get the network manager to look at the profiles again. Would it be easier if I set up a box with 3 cards, 1 for internal, one for bb and one for isdn and do the routing that way? Cheers Matt