[ previous ] [ next ] [ threads ]
 
 From:  "Rodman Frowert" <frowertr at i dash 1 dot net>
 To:  "James W. McKeand" <james at mckeand dot biz>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Setting up HotSpot
 Date:  Wed, 1 Sep 2004 11:28:37 -0500
Well I went ahead and enabled traffic shaper to throttle SMTP bandwidth as
suggested so that if a spammer does come in, he will only get a 50kbps pipe.
It seems to be working perfectly.  I setup a mask as "source" on the 50kbps
pipe.  According to what I have read, this will allow each client that
connects to get their own 50kbps pipe.  My pipe looks like this:

      No. Bandwidth Delay Mask Description
      1 50 Kbit/s     source    50kbps Pipe



And my rule looks like this:

      If Proto Source Destination Target Description
      Wi-Fi Nic
     TCP  Wi-Fi Nic net  *
      Port: 25 (SMTP)  50kbps Pipe  Mail Up-Stream Throttle



I don't have a way to test if the mask is working as I don't have two
wireless clients I can use to connect.  I guess I could make another traffic
shapping rule for the LAN and test it that way using a LAN computer and my
laptop.  Does everything look good here?

Also, I am thinking about blocking telnet and FTP access.  I don't think the
everyday user to my hotspot is going to need these services.  Is there
anything else I could be missing.  Because this is public access, should
anything be explicitly blocked or should I leave it all open and hope for
the best?

Man, the captive portal rocks!.  I uploaded my own TOS agreement and it
looks great.

Thanks for all your help guys.  I really appreciate it.  I love this
program!  Hopefully I can go "live" by tomorrow.

Rodman

----- Original Message ----- 
From: "James W. McKeand" <james at mckeand dot biz>
To: "'Rodman Frowert'" <frowertr at i dash 1 dot net>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, August 31, 2004 4:37 PM
Subject: RE: [m0n0wall] Setting up HotSpot


> Make a rule for your Opt1 interface with source of Opt1 Subnet (port any)
> and a destination not LAN Subnet (port any - for testing) then restrict
> destination ports if want.
>
> _________________________________
> James W. McKeand
>
>
> -----Original Message-----
> From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> Sent: Tuesday, August 31, 2004 5:17 PM
> To: Dana Spiegel; Kevin Coleman
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Setting up HotSpot
>
> I went ahead and changed everything over like you guys suggested.  My LAN
is
> now on the LAN interface and my ADSL is now on the WAN interface and my
> access point is now on the OPT1 interface.  Now the configuration is as
> follows:
>
> WAN - IP is DHCP assigned by DSL provider LAN - IP is 192.168.1.1/24 OPT -
> IP is 10.10.10.1/24 and DHCP is enabled to give wireless clients IP
> addresses in a range of 10.10.10.100 - 10.10.10.254
>
> But I can't get the OPT 1 interface working with my wireless laptop.  I
> doesn't even give out an IP address when I turn the laptop computer on
(yes,
> it is configured to get an IP automatically).  I am guessing it is because
I
> needed to make a firewall rule,  but for the life of me I can't figure out
> the right rule I guess.  All I need is the OPT 1 to access the WAN and NOT
> the LAN.
>
> Any ideas or hints on what I am missing?
>
> Rodman
>
>
> From: "Dana Spiegel" <dana at sociableDESIGN dot com>
> To: "Kevin Coleman" <kevin at gabu dot com>
> Cc: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, August 31, 2004 8:59 AM
> Subject: Re: [m0n0wall] Setting up HotSpot
>
>
> > I would also rethink your rules below. Only allowing those ports will
> > make the hotspot very unusable.
> >
> > People put web servers on ports other than 80 and 443 People use IMAP
> > People use SMTP (and NYCwireless has a totally unrestricted network
> > where we've never seen a spammer send out millions of spam messages)
> > People use S/POP and S/IMAP People use PPTP and IPSEC vpns (this is a
> > big one, especially since wireless hotspots are inherently insecure)
> > People use SSH (and SSH on ports other than 22) People use other
> > applications that make use of other ports
> >
> > Really your best bet is to put up the Captive Portal page, and set up
> > your network as Kevin recommends below.
> >
> > Dana Spiegel
> > Director, NYCwireless
> > dana at nycwireless dot net
> > www.nycwireless.net
> >
> > <mailto:dana at sociableDESIGN dot com>
> >
> >
> > Kevin Coleman wrote:
> >
> > >I'd take out the Linksys, put your 192.169.1.0/24 network on the LAN
> > >interface, your DSL/cable modem on the WAN interface, and connect
> > >your Wi-Fi AP to the DMZ interface.
> > >
> > >Then create a firewall rule that enables the DMZ to access the WAN.
> > >By default, LAN will be able to access the internet and DMZ will not
> > >be able to access the LAN.
> > >
> > >(K)
> > >
> > >-----Original Message-----
> > >From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> > >Sent: Monday, August 30, 2004 9:16 PM
> > >To: m0n0wall at lists dot m0n0 dot ch
> > >Subject: [m0n0wall] Setting up HotSpot
> > >
> > >Hello.  After many hours of labor, I finally got m0n0 running today.
> > >I guess it pays to make sure you actually have a NIC chipset
> > >supported by FreeBSD...
> > >
> > >Anyway, I have a question or two about using m0n0 with a hotspot I am
> > >installing in my business.  I have a LAN behind my Linksys Nat
> > >router/switch with an IP/subnet range of 192.168.1.0/24.  Only 3
> > >computers connected to the switch.  What I am wanting to do is
> > >connect m0n0 right to the switch on my LAN (through m0n0 WAN device).
> > >Then I want to connect my wireless AP to the m0n0 box.  The problem
> > >is, I don't know if I should use the DMZ/OPT1 interface or the LAN
> > >interface.  I won't need anything connected to the LAN interface on
> > >the m0n0 box so could I actually just connect the AP to the LAN
> > >interface and my hotspot becomes "another lan" in effect?
> > >
> > >I then need to make sure m0n0 blocks all access to my actually "real"
> > >wired
> > >lan since all I want the wireless clients to do is surf and not sniff
> > >my network.  Would I simply need to setup a rule for the LAN
> > >interface that would block all outgoing traffic that had a
> > >destination of 192.168.1.0/24.
> > >
> > >Lastly, I need m0n0 to block access to everything the wireless
> > >clients can do except pop3, http, and https.  Would I simply add a
> > >set of allow rules to the LAN interface again something to the idea
> > >of this:
> > >
> > >Proto    Source    Port       Destination    Port
> > >
> > >TCP      LAN net   *           *              80  (HTTP)
> > >TCP      LAN net   *           *              110 (POP3)
> > >TCP      LAN net   *           *              443 (HTTPS)
> > >
> > >Then at the bottom of those 3 rules have one that blocks EVERYTHING
> > >else?
> > >
> > >Thanks in advance for any help, guys!
> > >
> > >Rodman Frowert
> > >
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>