From: "Garrett" <glc at c dash email dot com>
> Ok, now that I've finally got my first WRAP up and running (thanks to
> everyone on the mailing list who helped), next up is the firewall rules.
> LAN0: LAN (172.31.101.0/29), 3 hosts
> LAN1: wireless LAN (172.31.101.8/29), 2 hosts (1 AP + 1 PocketPC)
> LAN2: WAN (PPPoE DSL)
There is a reason we use the LAN and OPTx names. There are some things that
can only be done from a LAN interface, and some things that can only be done
from an OPTx interface. I will assume LAN0 is the LAN interface, and the
LAN1 is OPT1. And LAN2 is WAN.
> wireless subnet: only want to permit access from the PocketPC on this
> to a particular host on the LAN subnet. I want to deny Internet access to
> this subnet all together and deny access to/from the other hosts on the
It should be on OPT. Set up DHCP to give addresses. Put a DHCP static
mapping for your device's MAC address outside of the DHCP scope. Set up a
rule on OPT allow that single IP to the IP on the LAN subnet. All else will
be denied, but friendly hackers will get IP addresses and be confused. :-)
> LAN subnet: permit Internet access and communication between all hosts on
> this subnet (which of course is already done with the Default LAN -> any
> rule) and deny access to the wireless subnet (except for the particular
> on this subnet)
Deny is already done. Set up the mirror of the rule above on the LAN subnet
from the IP of the pocket PC to the single IP of it's destination. Done.