One of the great things about m0n0wall is that it is based on best
practices in the firewall/network security/routing world. Because of
the tremendous amount of knowledge and experience that all of you bring
to the table, m0n0wall is built and configured "correctly" and the
interface tries to enforce these best practices.
The primary reason for a Captive Portal is _SECURITY_ so that people
using the hotspot can be informed about what they are doing. Don't view
hotspot users as outsiders, but rather people who should properly be on
the network just like a guest in your house or employee in your
One of the things that we have established through NYCwireless and
other community wireless organizations, and that I have written up in
Michael's socalfreenet web site on m0n0wall, are Best Practices for
public wireless networks.
I think this is important because such networks are becoming more
mainstream, and require proper security practices. Just like home
broadband caused the creation of a SoHo router that drew its best
practices from the enterprise network world (and m0n0wall embodies
these concepts for both enterprise and SoHo use), wireless gear is
causing the creation of hotspot devices which draw best practices from
the enterprise AND soho network world. m0n0wall can include these best
practices and this functionality (if someone would write it, and I'm
actively seeking such people out to contribute to m0n0wall) with ease,
and by including them, would address the need for this new class of
Those of you who are fearful of the bloat that it would cause: it
should only increase the image size by _at most_ a couple of MBs, and
will likely come in well under that.
Those of you who are fearful of security issues: the functionality
should be able to be completely disabled, just like VPN and NAT can be
Those who fear tainting of the idea of m0n0wall: yours is the same
argument that PPTP or DNS functionality would have faced 6-10 years ago
in a similar device, yet we take this functionality for granted today.
dana at nycwireless dot net
On Mar 18, 2004, at 10:55 AM, David Rodgers wrote:
> On Wed, 2004-03-17 at 15:39, John Voigt wrote:
>> ----- Original Message -----
>> From: "David Rodgers" <david dot rodgers at kdsi dot net>
>>>> Well, for you it's a firewall. A lot of people are using it with
>>>> Soekris box as a wireless router in their SOHO environment
>>> Yes but this is still not a server it's an access device that traffic
>>> goes THROUGH... see also below
>> Perhaps you don't understand what a hotspot is. There is no "server"
>> just a
>> static web page where the user agrees with some acceptable use policy
>> protecting the operator. Agreeing simply adds a rule to the firewall
>> allowing limited access to the user who just agreed.
> yes but (and I am arguing on principle here) that static page is
> on a web "server" just like any other web page you have ever been to.
> I do agree though that if this device is not a primary firewall this
> would not be a problem functionality could be cool. ... ok there I said
> I know you want everything to be integrated but I think it might be
> cooler to add a backend plugin interface to m0n0wall so that this sort
> of thing doesn't need to be part of the actual package.
> Like something meant to interact with an external machine that does the
> Say you go to a page and hit the hot spot button and type in an ip
> address and it forwards all requests that are trying to go to the
> internet to a certain ip address that serves the pages and handles the
> They could authenticate there and could activate the changes in the
> firewall via a php script on m0n0 that accepts input from the ip you
> have specified as the hot spot authenticator device.
> or even better to keep the bloat down completely maybe fork of mono
> is JUST a wireless/hotspot device. like maybe M0n0Spot :-)
> This is a really cool idea but I don't want to see the CF image for
> regular M0n0 go from 4 megs to 20, 50, 100 by adding a bunch of stuff
> A device that could operate as either a free hotspot or have an option
> to authenticate to a radius server would be great.
> David Rodgers
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch