[ previous ] [ next ] [ threads ]
 
 From:  "Eric Shorkey" <eshorkey at commonpointservices dot com>
 To:  "Massimo B." <ghiblone at tin dot it>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] More internet security
 Date:  Wed, 2 Jun 2004 08:05:40 -0400
So, you're looking to prevent certain systems from reaching the internet?
You can do that with normal firewall rules as well. The rule would be on the
LAN interface, and would block traffic that is coming from a specific IP
that is destined for the wan subnet. Or am I just way off?

Are you talking about wan as in wide area network, or wan as in some wierd
acronym for wireless networking?

I guess I just don't see the usefulness of a standard unix host file. It
provides name to ip and ip to name services. Doesn't seem very useful when
applied to a firewall context. Name base firewalling is always a bad idea,
as it is really easy to send bogus nameserver replies.

If you're talking about wireless networking, then you should look at the
captive portal that is being implemented in the current m0n0wall beta.

Or... maybe you're talking about sending web surfers to a specific page if
they are trying to access the internet and are being blocked by some rule.

I guess all this really means is that I still don't understand the question.
hehe

----- Original Message ----- 
From: "Massimo B." <ghiblone at tin dot it>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, June 02, 2004 7:42 AM
Subject: Re: [m0n0wall] More internet security


>
> ----- Original Message ----- 
> From: "Eric Shorkey" <eshorkey at commonpointservices dot com>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Wednesday, June 02, 2004 1:33 PM
> Subject: Re: [m0n0wall] More internet security
>
>
> > Are you referring to access to the web interface?
> No, web interface is ok and the rules are fully satisfactory!
> Host file must deny internet access in the wan interface,
> loading a "standard" host file.
> (avoiding therefore to load it on the various operating system).
>
> I'm sorry for my english...
>
> Thanks.
> Massimo Bolsi
>
> > If so, then the easiest solution is to create firewall rules that
perform
> > the desired function. For instance, to prevent anyone but 192.168.0.232
> from
> > accessing the m0n0wall interface, create a firewall rule on the LAN
> > interface that blocks all traffic going to the m0n0wall IP on port
<insert
> > admin port> that isn't from 192.168.0.232. Want more than 1 accepted IP?
> > Create accept rules for each IP you want to allow, and then create a
> general
> > deny rule. Double check your rule ordering (make sure the accepts are
> above
> > the general deny), and click Apply.
> >
> > This is all pretty pointless though. You can't assume any level of IP
> based
> > security on a LAN unless you already have complete control over all of
the
> > machines on that LAN. (If that was the case, why would you care?) Any
> client
> > could simply use arp poisoning to watch your traffic and sniff for your
> > admin password, and then use IP spoofing to take over your "allowed" IP
to
> > make any changes they wanted. The best solution is to use https and
choose
> a
> > reasonably safe password. Then it doesn't matter if they reach the
> m0n0wall
> > login interface. They don't have the password, and they have no easy way
> of
> > getting it.
> >
> > ----- Original Message ----- 
> > From: "Massimo B." <ghiblone at tin dot it>
> > To: <m0n0wall at lists dot m0n0 dot ch>
> > Sent: Wednesday, June 02, 2004 7:10 AM
> > Subject: [m0n0wall] More internet security
> >
> >
> > > A suggestion for more internet security:
> > > - add a simple host file!
> > > In short, the system must deny clients access
> > > whose hostnames are listed in this file.
> > > (...this file may be compressed on a floppy disk...?...)
> > >
> > > It's really possible?
> > >
> > > Thanks
> > > Massimo Bolsi
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>