[ previous ] [ next ] [ threads ]
 From:  Melvin Backus <melvin at sleepydragon dot net>
 To:  A dot L dot M dot Buxey at lboro dot ac dot uk
 Cc:  Robert Bialecki <robert at mpiwifi dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall Quiestion
 Date:  Wed, 26 Jan 2005 16:39:38 -0500
At 03:28 PM 1/26/2005, A dot L dot M dot Buxey at lboro dot ac dot uk wrote:
> > OK, think about it a little differently.  The WAN side of your m0n0, the
> > internet, is like the water line in your house.  Your m0n0 box is a
> > faucet.  All the lan machines are in the bath tub, and m0n0 can control
> > what gets into the tub, but how would you expect to keep the water in
> > one part of the tub from mixing with another part?  If you create
> > separate tubs, then you can do it, but in order to do that, you have
> > created separate lans.  VLANs might work if your equipment supports it,
> > or multiple interfaces on m0n0 would support it, but each machine would
> > have to be on a separate lan, otherwise, they all get to see everything
> > else.  By definition, only traffic which is on a different subnet goes
> > to the gateway (m0n0).  Everything else goes directly from machine to
> > machine.
>nice analogy.
>What you can do (and something we've played with before on our main network)
>is to 'break' the clients from seeing each other. this can be simply done by
>sending them a network setup via DHCP which doesnt let them see each other
>but does let them see the router (ie m0n0wall). This particular method simply
>use the netmask. set at a suitable value their machine 'works' but they 
>cant talk
>to others. I'm not sure if m0n0s DHCP settings allows the required settings
>to be sent, but this is a way of doing what you ask.
>of course, as normal wireless APs are just hubs then theres no way of stopping
>the clients sniffing the traffic with the correct tools...but they wouldnt
>be doing trivial IP traffic connections as they are now.

Agreed, and this is what many ISPs do when they issue you a dynamic IP 
address via dialup or DSL, etc.  They set your mask to /32 
( which allows you to only see your gateway and yourself 
without going through the gateway first, thus creating in effect a separate 
lan/vlan.  On a MS dhcp server you could create a separate scope for each 
address.  I'm not familiar enough with others to know but assume many would 
also have that capability.  I'm not sure it can be done with m0n0 or not, 
but essentially that's what creating separate vlans would appear to 
do.  Now, given that you're really only put blinders on the horse, there's 
nothing keeping them from turning their head so to speak, and see what else 
is out there.  They can manually assign the IP to the same one you gave 
them, and change the mask to see what else is about.  If you're switching 
hardware supports vlans, then it may prevent this from happening, but if 
not, you haven't really provided any real security between the 
machines.  You've just closed a door which has no lock to prevent 
entry.  Then again, we are talking wireless here, so perhaps the appearance 
is enough. ;)

Whom computers would destroy, they must first drive mad.

Melvin Backus
Principal Wizard
Sleepy Dragon Enterprises