[ previous ] [ next ] [ threads ]
 
 From:  "Massimo B." <ghiblone at tin dot it>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] More internet security
 Date:  Wed, 2 Jun 2004 13:42:42 +0200
----- Original Message ----- 
From: "Eric Shorkey" <eshorkey at commonpointservices dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, June 02, 2004 1:33 PM
Subject: Re: [m0n0wall] More internet security


> Are you referring to access to the web interface?
No, web interface is ok and the rules are fully satisfactory!
Host file must deny internet access in the wan interface,
loading a "standard" host file.
(avoiding therefore to load it on the various operating system).

I'm sorry for my english...

Thanks.
Massimo Bolsi

> If so, then the easiest solution is to create firewall rules that perform
> the desired function. For instance, to prevent anyone but 192.168.0.232
from
> accessing the m0n0wall interface, create a firewall rule on the LAN
> interface that blocks all traffic going to the m0n0wall IP on port <insert
> admin port> that isn't from 192.168.0.232. Want more than 1 accepted IP?
> Create accept rules for each IP you want to allow, and then create a
general
> deny rule. Double check your rule ordering (make sure the accepts are
above
> the general deny), and click Apply.
>
> This is all pretty pointless though. You can't assume any level of IP
based
> security on a LAN unless you already have complete control over all of the
> machines on that LAN. (If that was the case, why would you care?) Any
client
> could simply use arp poisoning to watch your traffic and sniff for your
> admin password, and then use IP spoofing to take over your "allowed" IP to
> make any changes they wanted. The best solution is to use https and choose
a
> reasonably safe password. Then it doesn't matter if they reach the
m0n0wall
> login interface. They don't have the password, and they have no easy way
of
> getting it.
>
> ----- Original Message ----- 
> From: "Massimo B." <ghiblone at tin dot it>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Wednesday, June 02, 2004 7:10 AM
> Subject: [m0n0wall] More internet security
>
>
> > A suggestion for more internet security:
> > - add a simple host file!
> > In short, the system must deny clients access
> > whose hostnames are listed in this file.
> > (...this file may be compressed on a floppy disk...?...)
> >
> > It's really possible?
> >
> > Thanks
> > Massimo Bolsi
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>