[ previous ] [ next ] [ threads ]
 
 From:  Falcor <falcor at netassassin dot com>
 To:  "Massimo B." <ghiblone at tin dot it>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] More internet security
 Date:  Wed, 02 Jun 2004 07:38:36 -0500
You would do this via IP and MAC Address filtering in the firewall. 
 Doing it by FQDN (Host names) isn't so good.  The best way is to block 
based on MAC address, or use the static MAC --> IP DHCP addressing and 
then write rules based on that.  (Of course someone can always manually 
enter an IP that will get around a IP based rule.)  MAC addresses, 
unless the person is smarter then the average bear, will be the best bet.  



Massimo B. wrote:

>----- Original Message ----- 
>From: "Eric Shorkey" <eshorkey at commonpointservices dot com>
>To: <m0n0wall at lists dot m0n0 dot ch>
>Sent: Wednesday, June 02, 2004 1:33 PM
>Subject: Re: [m0n0wall] More internet security
>
>
>  
>
>>Are you referring to access to the web interface?
>>    
>>
>No, web interface is ok and the rules are fully satisfactory!
>Host file must deny internet access in the wan interface,
>loading a "standard" host file.
>(avoiding therefore to load it on the various operating system).
>
>I'm sorry for my english...
>
>Thanks.
>Massimo Bolsi
>
>  
>
>>If so, then the easiest solution is to create firewall rules that perform
>>the desired function. For instance, to prevent anyone but 192.168.0.232
>>    
>>
>from
>  
>
>>accessing the m0n0wall interface, create a firewall rule on the LAN
>>interface that blocks all traffic going to the m0n0wall IP on port <insert
>>admin port> that isn't from 192.168.0.232. Want more than 1 accepted IP?
>>Create accept rules for each IP you want to allow, and then create a
>>    
>>
>general
>  
>
>>deny rule. Double check your rule ordering (make sure the accepts are
>>    
>>
>above
>  
>
>>the general deny), and click Apply.
>>
>>This is all pretty pointless though. You can't assume any level of IP
>>    
>>
>based
>  
>
>>security on a LAN unless you already have complete control over all of the
>>machines on that LAN. (If that was the case, why would you care?) Any
>>    
>>
>client
>  
>
>>could simply use arp poisoning to watch your traffic and sniff for your
>>admin password, and then use IP spoofing to take over your "allowed" IP to
>>make any changes they wanted. The best solution is to use https and choose
>>    
>>
>a
>  
>
>>reasonably safe password. Then it doesn't matter if they reach the
>>    
>>
>m0n0wall
>  
>
>>login interface. They don't have the password, and they have no easy way
>>    
>>
>of
>  
>
>>getting it.
>>
>>----- Original Message ----- 
>>From: "Massimo B." <ghiblone at tin dot it>
>>To: <m0n0wall at lists dot m0n0 dot ch>
>>Sent: Wednesday, June 02, 2004 7:10 AM
>>Subject: [m0n0wall] More internet security
>>
>>
>>    
>>
>>>A suggestion for more internet security:
>>>- add a simple host file!
>>>In short, the system must deny clients access
>>>whose hostnames are listed in this file.
>>>(...this file may be compressed on a floppy disk...?...)
>>>
>>>It's really possible?
>>>
>>>Thanks
>>>Massimo Bolsi
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>      
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>