[ previous ] [ next ] [ threads ]
 
 From:  Kevin Coleman <kevin at gabu dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Setting up HotSpot
 Date:  Wed, 01 Sep 2004 09:55:16 -0700
You may want to also block port 445. This is the port for SMB over TCP/IP. 
It will, however, prevent legitimate file sharing in addition to the spread 
of virus attacks.

(K)
----- Original Message ----- 
From: "Dana Spiegel" <dana at sociableDESIGN dot com>
To: "Rodman Frowert" <frowertr at i dash 1 dot net>
Cc: "James W. McKeand" <james at mckeand dot biz>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, September 01, 2004 9:41 AM
Subject: Re: [m0n0wall] Setting up HotSpot


> Telnet blocking is fine (no one should use it)
> Blocking FTP is your own choice. I don't think its necessary, but that's
> entirely up to you.
>
> I'd also explicityly block virus ports (I think 135-139, which are
> popular windows exploit ports). Does someone want to verify these for
> me, since I'm not sure if they are exactly correct?
>
> Otherwise, I'd leave everything else open. Also, you might want to only
> redirect port 80/443 since those are the only ones where you can see the
> TOS. This will allow newer Wi-fi VOIP phones to work without having to
> go through the captive portal (which they obviously can't do without a
> proper screen).
>
> *D a n a   S p i e g e l*
> *s o c i a b l e D E S I G N*  *::*  *www.sociableDESIGN.com
> <http://www.sociableDESIGN.com>*
> 123 Bank Street, Suite 510, New York, NY 10014
> p  +1 917 402 0422  ::  e  dana at sociableDESIGN dot com
> <mailto:dana at sociableDESIGN dot com>
>
>
> Rodman Frowert wrote:
>
>>Well I went ahead and enabled traffic shaper to throttle SMTP bandwidth as
>>suggested so that if a spammer does come in, he will only get a 50kbps 
>>pipe.
>>It seems to be working perfectly.  I setup a mask as "source" on the 
>>50kbps
>>pipe.  According to what I have read, this will allow each client that
>>connects to get their own 50kbps pipe.  My pipe looks like this:
>>
>>      No. Bandwidth Delay Mask Description
>>      1 50 Kbit/s     source    50kbps Pipe
>>
>>
>>
>>And my rule looks like this:
>>
>>      If Proto Source Destination Target Description
>>      Wi-Fi Nic
>>     TCP  Wi-Fi Nic net  *
>>      Port: 25 (SMTP)  50kbps Pipe  Mail Up-Stream Throttle
>>
>>
>>
>>I don't have a way to test if the mask is working as I don't have two
>>wireless clients I can use to connect.  I guess I could make another 
>>traffic
>>shapping rule for the LAN and test it that way using a LAN computer and my
>>laptop.  Does everything look good here?
>>
>>Also, I am thinking about blocking telnet and FTP access.  I don't think 
>>the
>>everyday user to my hotspot is going to need these services.  Is there
>>anything else I could be missing.  Because this is public access, should
>>anything be explicitly blocked or should I leave it all open and hope for
>>the best?
>>
>>Man, the captive portal rocks!.  I uploaded my own TOS agreement and it
>>looks great.
>>
>>Thanks for all your help guys.  I really appreciate it.  I love this
>>program!  Hopefully I can go "live" by tomorrow.
>>
>>Rodman
>>
>>----- Original Message ----- 
>>From: "James W. McKeand" <james at mckeand dot biz>
>>To: "'Rodman Frowert'" <frowertr at i dash 1 dot net>
>>Cc: <m0n0wall at lists dot m0n0 dot ch>
>>Sent: Tuesday, August 31, 2004 4:37 PM
>>Subject: RE: [m0n0wall] Setting up HotSpot
>>
>>
>>
>>
>>>Make a rule for your Opt1 interface with source of Opt1 Subnet (port any)
>>>and a destination not LAN Subnet (port any - for testing) then restrict
>>>destination ports if want.
>>>
>>>_________________________________
>>>James W. McKeand
>>>
>>>
>>>-----Original Message-----
>>>From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
>>>Sent: Tuesday, August 31, 2004 5:17 PM
>>>To: Dana Spiegel; Kevin Coleman
>>>Cc: m0n0wall at lists dot m0n0 dot ch
>>>Subject: Re: [m0n0wall] Setting up HotSpot
>>>
>>>I went ahead and changed everything over like you guys suggested.  My LAN
>>>
>>>
>>is
>>
>>
>>>now on the LAN interface and my ADSL is now on the WAN interface and my
>>>access point is now on the OPT1 interface.  Now the configuration is as
>>>follows:
>>>
>>>WAN - IP is DHCP assigned by DSL provider LAN - IP is 192.168.1.1/24 
>>>OPT -
>>>IP is 10.10.10.1/24 and DHCP is enabled to give wireless clients IP
>>>addresses in a range of 10.10.10.100 - 10.10.10.254
>>>
>>>But I can't get the OPT 1 interface working with my wireless laptop.  I
>>>doesn't even give out an IP address when I turn the laptop computer on
>>>
>>>
>>(yes,
>>
>>
>>>it is configured to get an IP automatically).  I am guessing it is 
>>>because
>>>
>>>
>>I
>>
>>
>>>needed to make a firewall rule,  but for the life of me I can't figure 
>>>out
>>>the right rule I guess.  All I need is the OPT 1 to access the WAN and 
>>>NOT
>>>the LAN.
>>>
>>>Any ideas or hints on what I am missing?
>>>
>>>Rodman
>>>
>>>
>>>From: "Dana Spiegel" <dana at sociableDESIGN dot com>
>>>To: "Kevin Coleman" <kevin at gabu dot com>
>>>Cc: <m0n0wall at lists dot m0n0 dot ch>
>>>Sent: Tuesday, August 31, 2004 8:59 AM
>>>Subject: Re: [m0n0wall] Setting up HotSpot
>>>
>>>
>>>
>>>
>>>>I would also rethink your rules below. Only allowing those ports will
>>>>make the hotspot very unusable.
>>>>
>>>>People put web servers on ports other than 80 and 443 People use IMAP
>>>>People use SMTP (and NYCwireless has a totally unrestricted network
>>>>where we've never seen a spammer send out millions of spam messages)
>>>>People use S/POP and S/IMAP People use PPTP and IPSEC vpns (this is a
>>>>big one, especially since wireless hotspots are inherently insecure)
>>>>People use SSH (and SSH on ports other than 22) People use other
>>>>applications that make use of other ports
>>>>
>>>>Really your best bet is to put up the Captive Portal page, and set up
>>>>your network as Kevin recommends below.
>>>>
>>>>Dana Spiegel
>>>>Director, NYCwireless
>>>>dana at nycwireless dot net
>>>>www.nycwireless.net
>>>>
>>>><mailto:dana at sociableDESIGN dot com>
>>>>
>>>>
>>>>Kevin Coleman wrote:
>>>>
>>>>
>>>>
>>>>>I'd take out the Linksys, put your 192.169.1.0/24 network on the LAN
>>>>>interface, your DSL/cable modem on the WAN interface, and connect
>>>>>your Wi-Fi AP to the DMZ interface.
>>>>>
>>>>>Then create a firewall rule that enables the DMZ to access the WAN.
>>>>>By default, LAN will be able to access the internet and DMZ will not
>>>>>be able to access the LAN.
>>>>>
>>>>>(K)
>>>>>
>>>>>-----Original Message-----
>>>>>From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
>>>>>Sent: Monday, August 30, 2004 9:16 PM
>>>>>To: m0n0wall at lists dot m0n0 dot ch
>>>>>Subject: [m0n0wall] Setting up HotSpot
>>>>>
>>>>>Hello.  After many hours of labor, I finally got m0n0 running today.
>>>>>I guess it pays to make sure you actually have a NIC chipset
>>>>>supported by FreeBSD...
>>>>>
>>>>>Anyway, I have a question or two about using m0n0 with a hotspot I am
>>>>>installing in my business.  I have a LAN behind my Linksys Nat
>>>>>router/switch with an IP/subnet range of 192.168.1.0/24.  Only 3
>>>>>computers connected to the switch.  What I am wanting to do is
>>>>>connect m0n0 right to the switch on my LAN (through m0n0 WAN device).
>>>>>Then I want to connect my wireless AP to the m0n0 box.  The problem
>>>>>is, I don't know if I should use the DMZ/OPT1 interface or the LAN
>>>>>interface.  I won't need anything connected to the LAN interface on
>>>>>the m0n0 box so could I actually just connect the AP to the LAN
>>>>>interface and my hotspot becomes "another lan" in effect?
>>>>>
>>>>>I then need to make sure m0n0 blocks all access to my actually "real"
>>>>>wired
>>>>>lan since all I want the wireless clients to do is surf and not sniff
>>>>>my network.  Would I simply need to setup a rule for the LAN
>>>>>interface that would block all outgoing traffic that had a
>>>>>destination of 192.168.1.0/24.
>>>>>
>>>>>Lastly, I need m0n0 to block access to everything the wireless
>>>>>clients can do except pop3, http, and https.  Would I simply add a
>>>>>set of allow rules to the LAN interface again something to the idea
>>>>>of this:
>>>>>
>>>>>Proto    Source    Port       Destination    Port
>>>>>
>>>>>TCP      LAN net   *           *              80  (HTTP)
>>>>>TCP      LAN net   *           *              110 (POP3)
>>>>>TCP      LAN net   *           *              443 (HTTPS)
>>>>>
>>>>>Then at the bottom of those 3 rules have one that blocks EVERYTHING
>>>>>else?
>>>>>
>>>>>Thanks in advance for any help, guys!
>>>>>
>>>>>Rodman Frowert
>>>>>
>>>>>
>>>>>---------------------------------------------------------------------
>>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>
>>>>>
>>>>>---------------------------------------------------------------------
>>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>
>>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>