[ previous ] [ next ] [ threads ]
 
 From:  "Lee Sharp" <leesharp at hal dash pc dot org>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] LAN/WISP block or WAN block ?
 Date:  Tue, 1 Aug 2006 01:59:18 -0500
From: "Bob Young" <bob at lavamail dot net>

> I see you are a WISP provider also.  I have done some WiFi in hotels.  But
> I'm just starting a WISP operation.  Learning Monowall is the last hurdle
> before I start handing out my WISP door hangers.

I use m0n0 in my hotels, and my WISP properties.  Same things, and same 
problems with only authentication and billing being different.

> I'm working on learning the firewall now and getting to where I feel ok
> about it.  After that I will work on learning the traffic shaper.  I hope 
> to
> get through the traffic shaper this week.

I only have traffic shaping enabled in 2 locations right now.  Generally, it 
just isn't a problem.

> Gee, I hope I don't get a lot of people looking at porn.  In my Terms of
> Service, I have spelled out that I don't want my WISP system used for
> porn.p2p also.  I'll use the info you mentioned to see who the BW hogs 
> are.
> If they use too much BW, I'll lower their speed, in the Traffic Shaper 
> (I'm
> hoping to get that figured out this week).

Keep in mind that BattleNet (World of Warcraft) uses P2P for all patches and 
updates.  Most linux distributions are torrents.  And porn is a major part 
of the internet.  Your TOS may be ignored, or drive people away.  For 
example, I would not be your customer.  (Assuming I actually read the TOS)

> From what I see of Monowall, I think it will be a real good device to use 
> in
> a WISP system.

It is the best thing I have seen.  And it has replaced many "commercial" 
WISPr solutions for me.

> Do you also agree that I should block only certain bad data, but allow the
> rest?...at least for a WISP site?  I assume that is the way you do it for
> your WISP network?

Generally, I block almost nothing.  Occasionally, I will block specific 
problems, or infected users.  But as a rule, I let the users use what they 
want, after they click [I Agree] on the CP page.  And that CP page includes 
links to free.grisoft.com, and 
http://download.zonelabs.com/bin/free/1001_cnet_zdnet/zlsSetup_65_731_000_en.exe 
that are allowed outbound without authentication.

In house, however, I am a lot more secure.  I have a default allow rule that 
logs everything.  I turn it off most of the time, and on for testing a new 
app.  Works for me.

                                Lee