[Balug-Talk] ip masquerading and system logs
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Wed Nov 7 22:36:22 PST 2007
Might step back slightly, and ask a bit more what is the "problem" we
are trying to solve, or what - at least in a bit more detail - are we
trying to accomplish?
Do we want to track/log to the student? ... or to their workstation or
Ethernet Mac Address? How homogeneous/controlled (or not) is the
"student" environment? Do the students have to authenticate on/to
the network, and does one want to track/log relative to that?
Some (semi-?)random ideas that may be useful, at least in part:
IPv6 - if the student workstations use IPv6, it may be rather easy
to correlate IP addresses and MAC addresses - the proxy/gateway/firewall
could still handle the proxy/masquerade stuff ... and over time, some of
the masquerade system/device's work could be reduced ... as IPv6 becomes
more prevalent, the masquerading need could be slowly phased out, and
reduced to firewalling/logging ... unless one also wants to keep
masquerading to better hide user/student/workstation identities.
Some of the simple types of authentication commonly used in (semi-)open
WiFi networks may be useful - e.g. student connects to network (or
starts a new session on workstation), new DHCP lease is granted, but
can't get to Internet until they fire up browser and authenticate - that
then correlates IP (and MAC address, from DHCP logs) to the student.
That correlation then persists until they log off or someone else logs
on (authenticates) to allow that IP to go through the proxy again (and
when the student lots off of their IP becomes unpingable, for more than
a rather short bit, they can no longer go through the proxy until they
authenticate again).
There may be many other possibilities, but perhaps that gives you some
useful ideas.
Quoting Ruben Safir:
> On Wed, Nov 07, 2007 at 09:26:38PM -0800, Hoover Chan wrote:
> > I'm in an environment where I'm being asked to track where students are
> > going on the Internet. The workstations in question are using dynamic
> > addressing and IP masquerading. Is it a matter of adjusting the log level
>
> > for syslogd or do I need to go to something like Squid and Dansguardian?
> > Or something else?
>
> You might give them assinged IP addresses based on the MAC with DHCPCD
> and then you will be able to log them. I use ntop for some businesses
> and my house.
>
> > Yes, I know about privacy implications here too and I'm raising that issue
> > at the same time but there are some compelling circumstances for
> > protecting children...
More information about the Balug-Talk
mailing list