[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Henning Wangerin <mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Webcam and captive portal.
 Date:  Thu, 24 Feb 2005 00:23:48 -0500
On Wed, 23 Feb 2005 21:07:41 +0100, Henning Wangerin
<mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk> wrote:
> Hi!
> 
> I have a wireless-netcam (surecom nl-401) that I want to allow access to
> my file-server for uploading of images to an archive.
> 
> My AP (a Dlink DWL-900AP+) is connected to a separate interface on my
> m0n0wall that's going to be setup with captive portal.
> 
> What would be concidered the bets way to accomplish that?
> 
> 1) Setup the webcam on a static IP (dhcp for easy handling) and
> firewalling so it only can connect to the ftp-server. The cam can be
> setup to push new images to the ftp-server automatically.
> *PRO
> No extra load is cenerated on the server in case of no connection
> *CON
> the ftp-credentials can be found on air, and the mac/ip hijacked
> 
> 2) Setup the webcam on a static IP (dhcp for easy handling) and
> firewalling so no connections out is possible, and let the server pull
> information
> *PRO
> no credentials on air except eventually a readonly-access to the cam
> *CON
> the server has to do more error-handling in case of missing connection.
> 

I'd say 2 is the more secure way, and probably the way I'd set it up. 
The server wouldn't really have to worry about error handling.  If it
fails, just give up.

If 1 is easier, and you have good reason to be concerned about
protecting the traffic and FTP server, just use a ftp user for only
that purpose and chroot it into its home directory.  The worst
somebody could do with those privileges is use it as a warez
repository if it's publicly-accessible (assuming no configuration
issues).  Setting up disk quotas would minimize that risk.

-Chris