|
||||||||
OK, so the 233 won't be enough. I was afraid of that. :-( I was thinking that instead of putting all the guests on a 24 port switch, I would put them on 3 8port switches and have each switch on it's own NIC on the m0n0wall box. They could infect the other 8 on their switch, but not the 16 on the other 2 switches. Something is better than nothing... :) I assume that will take more cpu/ram though. Maybe I should not worry about segmenting the untrusted LAN? -Fig Carsten Holbach wrote: > Heya > > Nice wishes you have ;) > > The problem is: How can you block traffic from one guest to another > that is unwished. Especially malware, verii and trojan horses spread > themselves with broadcasts. For the case that you do not connect each > guest's computer to it's own NIC in your m0n0wall, but all of them > into a switch (which is common in LANs and lanparty environments), you > can't block that. If you want to you need a managable switch of the > higher class, where you can close ports in that switch. > If I understand you right, you just want to block the untrusted LAN > from the trusted. That's no problem with m0n0wall, and your pings > should be nice (if somebody complaints about a higher latency of 5ms > than usual kick him ^^) if the hardware of the m0n0 box is a bit more > decent. > The situation I described above applies for the untrusted LAN(s), then. > > Greetings > Carsten > > > Fig wrote: > >> Hello, >> >> I finally have the time to finish my M0n0wall box for my LAN. >> Currently I am running on a Linksys router. It does ok, but there are >> not enough forwarding lines to handle my needs. >> >> I have a small base 100 LAN in my basement, and throw regular LAN >> parties of up to 30 people. I have 8 gaming machines that are mine, >> and a Samba server, an Linux web/FTP/Teamspeak server, a Linux >> gameserver, and a Win32 gameserver. All the servers except the Samba >> server will be accessible from outside, and the Samba server has NFS >> installed so the Linux App server can use it as a local drive. 6 of >> the gaming machines run Win98SE and have no AV software, and I want >> to block their access to the net. My outside connection is via cable >> modem. >> >> A big concern is the computers my guests bring in. I don't have >> anything to prevent infection across my LAN, so I would like to set >> M0n0 up to have my "trusted" machines (gamers and servers) on one >> leg, the brought-in machines on another, and allow them to >> communicate across the on selected ports as needed for the games we >> will play. I would also like to allow access for people to access the >> fileserver for patches and mods to the games. If possible, I have >> room for a few additional Realtek NICs and 8-port switches and would >> like to further segment the "untrusted" portion of my LAN to help >> protect my friends from each other in case someone goofs. So I might >> have WAN, LAN, and 3 OPT (untrusted), for example. >> >> Will I be able to achieve this with m0n0wall and still keep my >> latencies down to acceptable levels? I have a few systems I can use, >> I prefer to use a P233 box with 128MB of RAM but I can go up to a >> Duron 1300 with 256MB if it is needed. >> >> Thoughts? >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |