[ previous ] [ next ] [ threads ]
 
 From:  "Eric Shorkey" <eshorkey at commonpointservices dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] More internet security
 Date:  Wed, 2 Jun 2004 07:33:37 -0400
Are you referring to access to the web interface?
If so, then the easiest solution is to create firewall rules that perform
the desired function. For instance, to prevent anyone but 192.168.0.232 from
accessing the m0n0wall interface, create a firewall rule on the LAN
interface that blocks all traffic going to the m0n0wall IP on port <insert
admin port> that isn't from 192.168.0.232. Want more than 1 accepted IP?
Create accept rules for each IP you want to allow, and then create a general
deny rule. Double check your rule ordering (make sure the accepts are above
the general deny), and click Apply.

This is all pretty pointless though. You can't assume any level of IP based
security on a LAN unless you already have complete control over all of the
machines on that LAN. (If that was the case, why would you care?) Any client
could simply use arp poisoning to watch your traffic and sniff for your
admin password, and then use IP spoofing to take over your "allowed" IP to
make any changes they wanted. The best solution is to use https and choose a
reasonably safe password. Then it doesn't matter if they reach the m0n0wall
login interface. They don't have the password, and they have no easy way of
getting it.

----- Original Message ----- 
From: "Massimo B." <ghiblone at tin dot it>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, June 02, 2004 7:10 AM
Subject: [m0n0wall] More internet security


> A suggestion for more internet security:
> - add a simple host file!
> In short, the system must deny clients access
> whose hostnames are listed in this file.
> (...this file may be compressed on a floppy disk...?...)
>
> It's really possible?
>
> Thanks
> Massimo Bolsi
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>