[ previous ] [ next ] [ threads ]
 
 From:  David Rodgers <david dot rodgers at kdsi dot net>
 To:  John Voigt <1geek at jvoigt dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Hotspot Access Pages
 Date:  Wed, 17 Mar 2004 15:07:00 -0600 
On Wed, 2004-03-17 at 14:30, John Voigt wrote:
> ----- Original Message ----- 
> From: "David Rodgers" <david dot rodgers at kdsi dot net>
> 
> 
> > THIS IS A FIREWALL NOT A HOTSPOT ACCESS DEVICE
> >
> Well, for you it's a firewall.  A lot of people are using it with the
> Soekris box as a wireless router in their SOHO environment

Yes but this is still not a server it's an access device that traffic
goes THROUGH... see also below 

> 
> > All of you people that want it to do samba and nfs and .....the list
> > goes on and on need to just get another box to do this stuff OR YOU ARE
> > CREATING A SECURITY PROBLEM FOR YOURSELVES
> 
> Running a hotspot is a far cry from samba or nfs.  No one will ever run
> samba or nfs on an embedded PC.
Many people are running this on regular PC hardware not embedded.


> >
> > Is is really that hard to setup a second device to be your server in
> > these instances????
> 
> Actually, yes.  It involves more power and physical space in locations where
> they are at a premium.
There are several storage servers out there that are designed for this
purpose that are smaller than a soekris box that could live behind your
firewall ... see also tigerdirect.com and the snap server line.


> >
> > It's very handy but even the dhcp and vpn server running on the firewall
> > makes me paranoid. Fortunately this amazing product was designed with
> > people like me in mind and can be easily disabled.
> 
> If you trust disabling dhcp and vpn why wouldn't you trust disabling the
> hotspot code?

I don't TRUST anything I can beat up the box and make sure that OFF
MEANS OFF and also have access to the lower layer AND the source if I
still don't quite trust it.

I could disable the hotspot code but I still maintain that allowing the
general public access to ANY SERVICE running on a firewall IS bad. This
includes the management interface to m0n0wall itself.

If you are using this as ONLY an access point and don't care about
anything that is behind it .... hey go ahead .... it's up to you


> >
> > A FIREWALL SHOULD NEVER UNDER ANY CIRCUMSTANCES BE RUNNING A SERVICE
> > THAT IS OPEN TO THE OUTSIDE WORLD IN GENERAL .... and even running a
> > service like nfs or samba on the internal network on your firewall
> > device isn't safe if you have ANY users other than yourself using the
> > network.
> 
> Agreed - see above - not everyone sees this as only a firewall.

Agreed ... but if you read the "mission statement" for why it was
created it clearly is meant to me. It doesn't say "I set out to build an
all in one server appliance/access authentication device"

> 
> If you check the history of this project you'll find that it started out
> life as a cool way to use a Soekris embedded PC.  Many of us continue to use
> it that way and don't share your paranoia as our networks have very little
> of value on them.  We don't need a $12,000.00 safe to protect our $300.00
> worth of jewels.

I am not talking about protecting my "jewels" I am talking about
protecting the health of my network and the mechines in it as well as
protecting the internet infrastructure from problems that could occur in
my network.

> 
> All that being said, I bow to Manuel's vision as it's his project.  Just as
> nothing stops the rest of us from adding hotspot code and samba and whatever
> else people want to add, you are not prevented from removing code that you
> do not trust.

Exactly ..... coincidentally 



> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>