[ previous ] [ next ] [ threads ]
 
 From:  "Chet Harvey" <chet at pittech dot com>
 To:  "Eric Shorkey" <eshorkey at commonpointservices dot com>, "Massimo B." <ghiblone at tin dot it>, "m0n0wall at lists dot m0n0 dot ch"
 Subject:  Rv: Re: [m0n0wall] More internet security
 Date:  Wed, 2 Jun 2004 8:14:34 -0100
I think he might mean a hosts.deny file. There is a hosts.allow and I am
sure it would be simple for him to add a hosts.deny in his image if
necessary.


--------- Mensagem Original --------
From: Eric Shorkey <eshorkey at commonpointservices dot com>
To: Massimo B. <ghiblone at tin dot it>, m0n0wall at lists dot m0n0 dot ch
<m0n0wall at lists dot m0n0 dot ch>
Subject: Re: [m0n0wall] More internet security
Date: 02/06/04 11:03

>
> So, you're looking to prevent certain systems from reaching the internet?
> You can do that with normal firewall rules as well. The rule would be on
the
> LAN interface, and would block traffic that is coming from a specific IP
> that is destined for the wan subnet. Or am I just way off?
>
> Are you talking about wan as in wide area network, or wan as in some wierd
> acronym for wireless networking?
>
> I guess I just don't see the usefulness of a standard unix host file. It
> provides name to ip and ip to name services. Doesn't seem very useful when
> applied to a firewall context. Name base firewalling is always a bad idea,
> as it is really easy to send bogus nameserver replies.
>
> If you're talking about wireless networking, then you should look at the
> captive portal that is being implemented in the current m0n0wall beta.
>
> Or... maybe you're talking about sending web surfers to a specific page if
> they are trying to access the internet and are being blocked by some rule.
>
> I guess all this really means is that I still don't understand the
question.
> hehe
>
> ----- Original Message -----
> From: &quot;Massimo B.&quot; &lt;ghiblone at tin dot it&gt;
> To: &lt;m0n0wall at lists dot m0n0 dot ch&gt;
> Sent: Wednesday, June 02, 2004 7:42 AM
> Subject: Re: [m0n0wall] More internet security
>
>
> &gt;
> &gt; ----- Original Message -----
> &gt; From: &quot;Eric Shorkey&quot;
&lt;eshorkey at commonpointservices dot com&gt;
> &gt; To: &lt;m0n0wall at lists dot m0n0 dot ch&gt;
> &gt; Sent: Wednesday, June 02, 2004 1:33 PM
> &gt; Subject: Re: [m0n0wall] More internet security
> &gt;
> &gt;
> &gt; &gt; Are you referring to access to the web interface?
> &gt; No, web interface is ok and the rules are fully satisfactory!
> &gt; Host file must deny internet access in the wan interface,
> &gt; loading a &quot;standard&quot; host file.
> &gt; (avoiding therefore to load it on the various operating system).
> &gt;
> &gt; I'm sorry for my english...
> &gt;
> &gt; Thanks.
> &gt; Massimo Bolsi
> &gt;
> &gt; &gt; If so, then the easiest solution is to create firewall rules
that
> perform
> &gt; &gt; the desired function. For instance, to prevent anyone but
192.168.0.232
> &gt; from
> &gt; &gt; accessing the m0n0wall interface, create a firewall rule on the
LAN
> &gt; &gt; interface that blocks all traffic going to the m0n0wall IP on
port
> &lt;insert
> &gt; &gt; admin port&gt; that isn't from 192.168.0.232. Want more than 1
accepted IP?
> &gt; &gt; Create accept rules for each IP you want to allow, and then
create a
> &gt; general
> &gt; &gt; deny rule. Double check your rule ordering (make sure the
accepts are
> &gt; above
> &gt; &gt; the general deny), and click Apply.
> &gt; &gt;
> &gt; &gt; This is all pretty pointless though. You can't assume any level
of IP
> &gt; based
> &gt; &gt; security on a LAN unless you already have complete control over
all of
> the
> &gt; &gt; machines on that LAN. (If that was the case, why would you
care?) Any
> &gt; client
> &gt; &gt; could simply use arp poisoning to watch your traffic and sniff
for your
> &gt; &gt; admin password, and then use IP spoofing to take over your
&quot;allowed&quot; IP
> to
> &gt; &gt; make any changes they wanted. The best solution is to use https
and
> choose
> &gt; a
> &gt; &gt; reasonably safe password. Then it doesn't matter if they reach
the
> &gt; m0n0wall
> &gt; &gt; login interface. They don't have the password, and they have no
easy way
> &gt; of
> &gt; &gt; getting it.
> &gt; &gt;
> &gt; &gt; ----- Original Message -----
> &gt; &gt; From: &quot;Massimo B.&quot; &lt;ghiblone at tin dot it&gt;
> &gt; &gt; To: &lt;m0n0wall at lists dot m0n0 dot ch&gt;
> &gt; &gt; Sent: Wednesday, June 02, 2004 7:10 AM
> &gt; &gt; Subject: [m0n0wall] More internet security
> &gt; &gt;
> &gt; &gt;
> &gt; &gt; &gt; A suggestion for more internet security:
> &gt; &gt; &gt; - add a simple host file!
> &gt; &gt; &gt; In short, the system must deny clients access
> &gt; &gt; &gt; whose hostnames are listed in this file.
> &gt; &gt; &gt; (...this file may be compressed on a floppy disk...?...)
> &gt; &gt; &gt;
> &gt; &gt; &gt; It's really possible?
> &gt; &gt; &gt;
> &gt; &gt; &gt; Thanks
> &gt; &gt; &gt; Massimo Bolsi
> &gt; &gt; &gt;
> &gt; &gt; &gt;
> &gt; &gt; &gt;
---------------------------------------------------------------------
> &gt; &gt; &gt; To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> &gt; &gt; &gt; For additional commands, e-mail:
m0n0wall dash help at lists dot m0n0 dot ch
> &gt; &gt; &gt;
> &gt; &gt; &gt;
> &gt; &gt;
> &gt; &gt;
> &gt; &gt;
---------------------------------------------------------------------
> &gt; &gt; To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> &gt; &gt; For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> &gt; &gt;
> &gt;
> &gt;
> &gt; ---------------------------------------------------------------------
> &gt; To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> &gt; For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> &gt;
> &gt;
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
>
>