[ previous ] [ next ] [ threads ]
 
 From:  Dana Spiegel <dana at sociableDESIGN dot com>
 To:  Rodman Frowert <frowertr at i dash 1 dot net>
 Cc:  "James W. McKeand" <james at mckeand dot biz>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Setting up HotSpot
 Date:  Wed, 01 Sep 2004 12:41:20 -0400
Telnet blocking is fine (no one should use it)
Blocking FTP is your own choice. I don't think its necessary, but that's 
entirely up to you.

I'd also explicityly block virus ports (I think 135-139, which are 
popular windows exploit ports). Does someone want to verify these for 
me, since I'm not sure if they are exactly correct?

Otherwise, I'd leave everything else open. Also, you might want to only 
redirect port 80/443 since those are the only ones where you can see the 
TOS. This will allow newer Wi-fi VOIP phones to work without having to 
go through the captive portal (which they obviously can't do without a 
proper screen).

*D a n a   S p i e g e l*
*s o c i a b l e D E S I G N*  *::*  *www.sociableDESIGN.com 
<http://www.sociableDESIGN.com>*
123 Bank Street, Suite 510, New York, NY 10014
p  +1 917 402 0422  ::  e  dana at sociableDESIGN dot com 
<mailto:dana at sociableDESIGN dot com>


Rodman Frowert wrote:

>Well I went ahead and enabled traffic shaper to throttle SMTP bandwidth as
>suggested so that if a spammer does come in, he will only get a 50kbps pipe.
>It seems to be working perfectly.  I setup a mask as "source" on the 50kbps
>pipe.  According to what I have read, this will allow each client that
>connects to get their own 50kbps pipe.  My pipe looks like this:
>
>      No. Bandwidth Delay Mask Description
>      1 50 Kbit/s     source    50kbps Pipe
>
>
>
>And my rule looks like this:
>
>      If Proto Source Destination Target Description
>      Wi-Fi Nic
>     TCP  Wi-Fi Nic net  *
>      Port: 25 (SMTP)  50kbps Pipe  Mail Up-Stream Throttle
>
>
>
>I don't have a way to test if the mask is working as I don't have two
>wireless clients I can use to connect.  I guess I could make another traffic
>shapping rule for the LAN and test it that way using a LAN computer and my
>laptop.  Does everything look good here?
>
>Also, I am thinking about blocking telnet and FTP access.  I don't think the
>everyday user to my hotspot is going to need these services.  Is there
>anything else I could be missing.  Because this is public access, should
>anything be explicitly blocked or should I leave it all open and hope for
>the best?
>
>Man, the captive portal rocks!.  I uploaded my own TOS agreement and it
>looks great.
>
>Thanks for all your help guys.  I really appreciate it.  I love this
>program!  Hopefully I can go "live" by tomorrow.
>
>Rodman
>
>----- Original Message ----- 
>From: "James W. McKeand" <james at mckeand dot biz>
>To: "'Rodman Frowert'" <frowertr at i dash 1 dot net>
>Cc: <m0n0wall at lists dot m0n0 dot ch>
>Sent: Tuesday, August 31, 2004 4:37 PM
>Subject: RE: [m0n0wall] Setting up HotSpot
>
>
>  
>
>>Make a rule for your Opt1 interface with source of Opt1 Subnet (port any)
>>and a destination not LAN Subnet (port any - for testing) then restrict
>>destination ports if want.
>>
>>_________________________________
>>James W. McKeand
>>
>>
>>-----Original Message-----
>>From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
>>Sent: Tuesday, August 31, 2004 5:17 PM
>>To: Dana Spiegel; Kevin Coleman
>>Cc: m0n0wall at lists dot m0n0 dot ch
>>Subject: Re: [m0n0wall] Setting up HotSpot
>>
>>I went ahead and changed everything over like you guys suggested.  My LAN
>>    
>>
>is
>  
>
>>now on the LAN interface and my ADSL is now on the WAN interface and my
>>access point is now on the OPT1 interface.  Now the configuration is as
>>follows:
>>
>>WAN - IP is DHCP assigned by DSL provider LAN - IP is 192.168.1.1/24 OPT -
>>IP is 10.10.10.1/24 and DHCP is enabled to give wireless clients IP
>>addresses in a range of 10.10.10.100 - 10.10.10.254
>>
>>But I can't get the OPT 1 interface working with my wireless laptop.  I
>>doesn't even give out an IP address when I turn the laptop computer on
>>    
>>
>(yes,
>  
>
>>it is configured to get an IP automatically).  I am guessing it is because
>>    
>>
>I
>  
>
>>needed to make a firewall rule,  but for the life of me I can't figure out
>>the right rule I guess.  All I need is the OPT 1 to access the WAN and NOT
>>the LAN.
>>
>>Any ideas or hints on what I am missing?
>>
>>Rodman
>>
>>
>>From: "Dana Spiegel" <dana at sociableDESIGN dot com>
>>To: "Kevin Coleman" <kevin at gabu dot com>
>>Cc: <m0n0wall at lists dot m0n0 dot ch>
>>Sent: Tuesday, August 31, 2004 8:59 AM
>>Subject: Re: [m0n0wall] Setting up HotSpot
>>
>>
>>    
>>
>>>I would also rethink your rules below. Only allowing those ports will
>>>make the hotspot very unusable.
>>>
>>>People put web servers on ports other than 80 and 443 People use IMAP
>>>People use SMTP (and NYCwireless has a totally unrestricted network
>>>where we've never seen a spammer send out millions of spam messages)
>>>People use S/POP and S/IMAP People use PPTP and IPSEC vpns (this is a
>>>big one, especially since wireless hotspots are inherently insecure)
>>>People use SSH (and SSH on ports other than 22) People use other
>>>applications that make use of other ports
>>>
>>>Really your best bet is to put up the Captive Portal page, and set up
>>>your network as Kevin recommends below.
>>>
>>>Dana Spiegel
>>>Director, NYCwireless
>>>dana at nycwireless dot net
>>>www.nycwireless.net
>>>
>>><mailto:dana at sociableDESIGN dot com>
>>>
>>>
>>>Kevin Coleman wrote:
>>>
>>>      
>>>
>>>>I'd take out the Linksys, put your 192.169.1.0/24 network on the LAN
>>>>interface, your DSL/cable modem on the WAN interface, and connect
>>>>your Wi-Fi AP to the DMZ interface.
>>>>
>>>>Then create a firewall rule that enables the DMZ to access the WAN.
>>>>By default, LAN will be able to access the internet and DMZ will not
>>>>be able to access the LAN.
>>>>
>>>>(K)
>>>>
>>>>-----Original Message-----
>>>>From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
>>>>Sent: Monday, August 30, 2004 9:16 PM
>>>>To: m0n0wall at lists dot m0n0 dot ch
>>>>Subject: [m0n0wall] Setting up HotSpot
>>>>
>>>>Hello.  After many hours of labor, I finally got m0n0 running today.
>>>>I guess it pays to make sure you actually have a NIC chipset
>>>>supported by FreeBSD...
>>>>
>>>>Anyway, I have a question or two about using m0n0 with a hotspot I am
>>>>installing in my business.  I have a LAN behind my Linksys Nat
>>>>router/switch with an IP/subnet range of 192.168.1.0/24.  Only 3
>>>>computers connected to the switch.  What I am wanting to do is
>>>>connect m0n0 right to the switch on my LAN (through m0n0 WAN device).
>>>>Then I want to connect my wireless AP to the m0n0 box.  The problem
>>>>is, I don't know if I should use the DMZ/OPT1 interface or the LAN
>>>>interface.  I won't need anything connected to the LAN interface on
>>>>the m0n0 box so could I actually just connect the AP to the LAN
>>>>interface and my hotspot becomes "another lan" in effect?
>>>>
>>>>I then need to make sure m0n0 blocks all access to my actually "real"
>>>>wired
>>>>lan since all I want the wireless clients to do is surf and not sniff
>>>>my network.  Would I simply need to setup a rule for the LAN
>>>>interface that would block all outgoing traffic that had a
>>>>destination of 192.168.1.0/24.
>>>>
>>>>Lastly, I need m0n0 to block access to everything the wireless
>>>>clients can do except pop3, http, and https.  Would I simply add a
>>>>set of allow rules to the LAN interface again something to the idea
>>>>of this:
>>>>
>>>>Proto    Source    Port       Destination    Port
>>>>
>>>>TCP      LAN net   *           *              80  (HTTP)
>>>>TCP      LAN net   *           *              110 (POP3)
>>>>TCP      LAN net   *           *              443 (HTTPS)
>>>>
>>>>Then at the bottom of those 3 rules have one that blocks EVERYTHING
>>>>else?
>>>>
>>>>Thanks in advance for any help, guys!
>>>>
>>>>Rodman Frowert
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>>
>>>>
>>>>        
>>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>