[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Ideas for 2nd LAN security
 Date:  Tue, 27 Dec 2005 22:08:40 -0500
On 12/27/05, Sean Waite <swaite at sbn dash services dot com> wrote:
> I am in the process of setting up a second LAN (Wireless) using m0n0wall to bridge them. The first
is the regular local LAN, the second
> being just an access point to connect to one specific webserver within the first LAN.
>
> I have done two different configs of m0n0wall, one allowing DNS and the other rejecting DNS.
Ideally with the secure config we want to
> be able to connect to this specific internal webserver only. At the moment we can only access
other computers on the first LAN by using
> the IP address. Same goes for accessing the internet.
>
> Any ideas on how I could lock this down some more?
>

first, I'd use two different internal subnets, not bridge the
interfaces.  If one is 192.168.1.0/24, set up the second as
192.168.2.0/24 (or something like that).

Speaking in terms of firewall best practices, you're thinking of this
backwards.  You're thinking "what else can I block?", when you should
start with blocking everything and permit only what you must allow. 
Figure out specifically what protocols are needed, and put in allow
rules for those only.  Everything not explicitly permitted is denied
by default.

-Chris