[ previous ] [ next ] [ threads ]
 From:  "Chris Bagnall" <m0n0wall at minotaur dot cc>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Re: can m0n0wall do this?
 Date:  Wed, 1 Sep 2004 08:47:15 +0100
> So you will enable dhcp on the m0n0wall and assign a static 
> IP to this specific mac adress.
> > The rest of the IP addresses (DHCP) he wants to allow only to go to 
> > two or three very specific URLs to upload business-related data but 
> > nothing else.

Be warned of course that the moment anyone tech-savvy connects to the
network and knows the IP address of the machine with unrestricted access,
they can simply force their machine to use that IP, bypassing DHCP entirely.
This is especially true if the "real" unrestricted machine is not always
powered up and using its IP.

> You need to know the ip-Adresses/Ranges of these web servers...
> > Is this possible?  Can I give a range of IP addresses to 
> m0n0 to only 
> > allow certain access while allowing the static pool to go anywhere 
> > they'd like?
> Yes. You might have to add multiple rules for any 
> ip-adress/range of the httpd. Have a look at the firewall 
> rules screenshots http://m0n0.ch/wall/screenshots.php

Again, be warned that while web addresses might remain constant, the IPs
behind them might change regularly, especially if the sites in question are
busy ones using a forward-proxying arrangement to distribute load to a
number of "real" webservers. In this case you'd have to work out the IPs for
all of them - could be a time consuming process, and add each of them

I'll be the first to admit it's none of my business, but I'd really hate to
work at a place that wanted to lock down employees' internet usage in this
way. Seems to me firewalls these days are being used as much for controlling
the people behind them as for preventing unauthorized packets coming in...
but that's a separate discussion ;-)


C.M. Bagnall, Partner, Minotaur
Tel: (07010) 710715   Mobile: (07811) 332969
ICQ: 13350579   AIM: MinotaurUK   MSN: minotauruk at hotmail dot com   Y!:
This email is made from 100% recycled electrons