|
||||||||
I think he might mean a hosts.deny file. There is a hosts.allow and I am sure it would be simple for him to add a hosts.deny in his image if necessary. --------- Mensagem Original -------- From: Eric Shorkey <eshorkey at commonpointservices dot com> To: Massimo B. <ghiblone at tin dot it>, m0n0wall at lists dot m0n0 dot ch <m0n0wall at lists dot m0n0 dot ch> Subject: Re: [m0n0wall] More internet security Date: 02/06/04 11:03 > > So, you're looking to prevent certain systems from reaching the internet? > You can do that with normal firewall rules as well. The rule would be on the > LAN interface, and would block traffic that is coming from a specific IP > that is destined for the wan subnet. Or am I just way off? > > Are you talking about wan as in wide area network, or wan as in some wierd > acronym for wireless networking? > > I guess I just don't see the usefulness of a standard unix host file. It > provides name to ip and ip to name services. Doesn't seem very useful when > applied to a firewall context. Name base firewalling is always a bad idea, > as it is really easy to send bogus nameserver replies. > > If you're talking about wireless networking, then you should look at the > captive portal that is being implemented in the current m0n0wall beta. > > Or... maybe you're talking about sending web surfers to a specific page if > they are trying to access the internet and are being blocked by some rule. > > I guess all this really means is that I still don't understand the question. > hehe > > ----- Original Message ----- > From: "Massimo B." <ghiblone at tin dot it> > To: <m0n0wall at lists dot m0n0 dot ch> > Sent: Wednesday, June 02, 2004 7:42 AM > Subject: Re: [m0n0wall] More internet security > > > > > > ----- Original Message ----- > > From: "Eric Shorkey" <eshorkey at commonpointservices dot com> > > To: <m0n0wall at lists dot m0n0 dot ch> > > Sent: Wednesday, June 02, 2004 1:33 PM > > Subject: Re: [m0n0wall] More internet security > > > > > > > Are you referring to access to the web interface? > > No, web interface is ok and the rules are fully satisfactory! > > Host file must deny internet access in the wan interface, > > loading a "standard" host file. > > (avoiding therefore to load it on the various operating system). > > > > I'm sorry for my english... > > > > Thanks. > > Massimo Bolsi > > > > > If so, then the easiest solution is to create firewall rules that > perform > > > the desired function. For instance, to prevent anyone but 192.168.0.232 > > from > > > accessing the m0n0wall interface, create a firewall rule on the LAN > > > interface that blocks all traffic going to the m0n0wall IP on port > <insert > > > admin port> that isn't from 192.168.0.232. Want more than 1 accepted IP? > > > Create accept rules for each IP you want to allow, and then create a > > general > > > deny rule. Double check your rule ordering (make sure the accepts are > > above > > > the general deny), and click Apply. > > > > > > This is all pretty pointless though. You can't assume any level of IP > > based > > > security on a LAN unless you already have complete control over all of > the > > > machines on that LAN. (If that was the case, why would you care?) Any > > client > > > could simply use arp poisoning to watch your traffic and sniff for your > > > admin password, and then use IP spoofing to take over your "allowed" IP > to > > > make any changes they wanted. The best solution is to use https and > choose > > a > > > reasonably safe password. Then it doesn't matter if they reach the > > m0n0wall > > > login interface. They don't have the password, and they have no easy way > > of > > > getting it. > > > > > > ----- Original Message ----- > > > From: "Massimo B." <ghiblone at tin dot it> > > > To: <m0n0wall at lists dot m0n0 dot ch> > > > Sent: Wednesday, June 02, 2004 7:10 AM > > > Subject: [m0n0wall] More internet security > > > > > > > > > > A suggestion for more internet security: > > > > - add a simple host file! > > > > In short, the system must deny clients access > > > > whose hostnames are listed in this file. > > > > (...this file may be compressed on a floppy disk...?...) > > > > > > > > It's really possible? > > > > > > > > Thanks > > > > Massimo Bolsi > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > > > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > > > |