[ previous ] [ next ] [ threads ]
 From:  Dana Spiegel <dana at sociableDESIGN dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Hotspot Access Pages
 Date:  Thu, 18 Mar 2004 11:24:15 -0500

One of the great things about m0n0wall is that it is based on best 
practices in the firewall/network security/routing world. Because of 
the tremendous amount of knowledge and experience that all of you bring 
to the table, m0n0wall is built and configured "correctly" and the 
interface tries to enforce these best practices.

The primary reason for a Captive Portal is _SECURITY_ so that people 
using the hotspot can be informed about what they are doing. Don't view 
hotspot users as outsiders, but rather people who should properly be on 
the network just like a guest in your house or employee in your 

One of the things that we have established through NYCwireless and 
other community wireless organizations, and that I have written up in 
Michael's socalfreenet web site on m0n0wall, are Best Practices for 
public wireless networks.

I think this is important because such networks are becoming more 
mainstream, and require proper security practices. Just like home 
broadband caused the creation of a SoHo router that drew its best 
practices from the enterprise network world (and m0n0wall embodies 
these concepts for both enterprise and SoHo use), wireless gear is 
causing the creation of hotspot devices which draw best practices from 
the enterprise AND soho network world. m0n0wall can include these best 
practices and this functionality (if someone would write it, and I'm 
actively seeking such people out to contribute to m0n0wall) with ease, 
and by including them, would address the need for this new class of 
network devices.

Those of you who are fearful of the bloat that it would cause: it 
should only increase the image size by _at most_ a couple of MBs, and 
will likely come in well under that.

Those of you who are fearful of security issues: the functionality 
should be able to be completely disabled, just like VPN and NAT can be 

Those who fear tainting of the idea of m0n0wall: yours is the same 
argument that PPTP or DNS functionality would have faced 6-10 years ago 
in a similar device, yet we take this functionality for granted today.


Dana Spiegel
Director, NYCwireless
dana at nycwireless dot net

On Mar 18, 2004, at 10:55 AM, David Rodgers wrote:

> On Wed, 2004-03-17 at 15:39, John Voigt wrote:
>> ----- Original Message -----
>> From: "David Rodgers" <david dot rodgers at kdsi dot net>
>>>> Well, for you it's a firewall.  A lot of people are using it with 
>>>> the
>>>> Soekris box as a wireless router in their SOHO environment
>>> Yes but this is still not a server it's an access device that traffic
>>> goes THROUGH... see also below
>> Perhaps you don't understand what a hotspot is.  There is no "server" 
>> just a
>> static web page where the user agrees with some acceptable use policy
>> protecting the operator.  Agreeing simply adds a rule to the firewall
>> allowing limited access to the user who just agreed.
> yes but (and I am arguing on principle here) that static page is 
> running
> on a web "server" just like any other web page you have ever been to.
> I do agree though that if this device is not a primary firewall this
> would not be a problem functionality could be cool. ... ok there I said
> it.
> I know you want everything to be integrated but I think it might be
> cooler to add a backend plugin interface to m0n0wall so that this sort
> of thing doesn't need to be part of the actual package.
> Like something meant to interact with an external machine that does the
> authentication.
> Say you go to a page and hit the hot spot button and type in an ip
> address and it forwards all requests that are trying to go to the
> internet to a certain ip address that serves the pages and handles the
> auth.
> They could authenticate there and could activate the changes in the
> firewall via a php script on m0n0 that accepts input from the ip you
> have specified as the hot spot authenticator device.
> or even better to keep the bloat down completely maybe fork of mono 
> that
> is JUST a wireless/hotspot device. like maybe M0n0Spot :-)
> This is a really cool idea but I don't want to see the CF image for
> regular M0n0 go from 4 megs to 20, 50, 100 by adding a bunch of stuff
> either.
> A device that could operate as either a free hotspot or have an option
> to authenticate to a radius server would be great.
> David Rodgers
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch