|
||||||||
On 12/27/05, Sean Waite <swaite at sbn dash services dot com> wrote: > I am in the process of setting up a second LAN (Wireless) using m0n0wall to bridge them. The first is the regular local LAN, the second > being just an access point to connect to one specific webserver within the first LAN. > > I have done two different configs of m0n0wall, one allowing DNS and the other rejecting DNS. Ideally with the secure config we want to > be able to connect to this specific internal webserver only. At the moment we can only access other computers on the first LAN by using > the IP address. Same goes for accessing the internet. > > Any ideas on how I could lock this down some more? > first, I'd use two different internal subnets, not bridge the interfaces. If one is 192.168.1.0/24, set up the second as 192.168.2.0/24 (or something like that). Speaking in terms of firewall best practices, you're thinking of this backwards. You're thinking "what else can I block?", when you should start with blocking everything and permit only what you must allow. Figure out specifically what protocols are needed, and put in allow rules for those only. Everything not explicitly permitted is denied by default. -Chris |