[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "'Dana Spiegel'" <dana at sociableDESIGN dot com>, "'Rodman Frowert'" <frowertr at i dash 1 dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Setting up HotSpot
 Date:  Wed, 1 Sep 2004 15:01:38 -0400
From http://www.iana.org/assignments/port-numbers (the best list of assigned
ports...)

netbios-ns      137/tcp    NETBIOS Name Service    
netbios-ns      137/udp    NETBIOS Name Service    
netbios-dgm     138/tcp    NETBIOS Datagram Service
netbios-dgm     138/udp    NETBIOS Datagram Service
netbios-ssn     139/tcp    NETBIOS Session Service
netbios-ssn     139/udp    NETBIOS Session Service

I have also heard of blocking:

epmap           135/tcp    DCE endpoint resolution
epmap           135/udp    DCE endpoint resolution

And

microsoft-ds    445/tcp    Microsoft-DS
microsoft-ds    445/udp    Microsoft-DS

Not sure on the 135

_________________________________
James W. McKeand


________________________________

From: Dana Spiegel [mailto:dana at sociableDESIGN dot com] 
Sent: Wednesday, September 01, 2004 12:41 PM
To: Rodman Frowert
Cc: James W. McKeand; m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Setting up HotSpot


Telnet blocking is fine (no one should use it)
Blocking FTP is your own choice. I don't think its necessary, but that's
entirely up to you.

I'd also explicityly block virus ports (I think 135-139, which are popular
windows exploit ports). Does someone want to verify these for me, since I'm
not sure if they are exactly correct?

Otherwise, I'd leave everything else open. Also, you might want to only
redirect port 80/443 since those are the only ones where you can see the
TOS. This will allow newer Wi-fi VOIP phones to work without having to go
through the captive portal (which they obviously can't do without a proper
screen).


D a n a   S p i e g e l
s o c i a b l e D E S I G N  ::  www.sociableDESIGN.com
123 Bank Street, Suite 510, New York, NY 10014
p  +1 917 402 0422  ::  e  dana at sociableDESIGN dot com



Rodman Frowert wrote: 

	Well I went ahead and enabled traffic shaper to throttle SMTP
bandwidth as
	suggested so that if a spammer does come in, he will only get a
50kbps pipe.
	It seems to be working perfectly.  I setup a mask as "source" on the
50kbps
	pipe.  According to what I have read, this will allow each client
that
	connects to get their own 50kbps pipe.  My pipe looks like this:
	
	      No. Bandwidth Delay Mask Description
	      1 50 Kbit/s     source    50kbps Pipe
	
	
	
	And my rule looks like this:
	
	      If Proto Source Destination Target Description
	      Wi-Fi Nic
	     TCP  Wi-Fi Nic net  *
	      Port: 25 (SMTP)  50kbps Pipe  Mail Up-Stream Throttle
	
	
	
	I don't have a way to test if the mask is working as I don't have
two
	wireless clients I can use to connect.  I guess I could make another
traffic
	shapping rule for the LAN and test it that way using a LAN computer
and my
	laptop.  Does everything look good here?
	
	Also, I am thinking about blocking telnet and FTP access.  I don't
think the
	everyday user to my hotspot is going to need these services.  Is
there
	anything else I could be missing.  Because this is public access,
should
	anything be explicitly blocked or should I leave it all open and
hope for
	the best?
	
	Man, the captive portal rocks!.  I uploaded my own TOS agreement and
it
	looks great.
	
	Thanks for all your help guys.  I really appreciate it.  I love this
	program!  Hopefully I can go "live" by tomorrow.
	
	Rodman
	
	----- Original Message -----
	From: "James W. McKeand" <james at mckeand dot biz>
<mailto:james at mckeand dot biz> 
	To: "'Rodman Frowert'" <frowertr at i dash 1 dot net> <mailto:frowertr at i dash 1 dot net> 
	Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch> 
	Sent: Tuesday, August 31, 2004 4:37 PM
	Subject: RE: [m0n0wall] Setting up HotSpot
	
	
	  

		Make a rule for your Opt1 interface with source of Opt1
Subnet (port any)
		and a destination not LAN Subnet (port any - for testing)
then restrict
		destination ports if want.
		
		_________________________________
		James W. McKeand
		
		
		-----Original Message-----
		From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
		Sent: Tuesday, August 31, 2004 5:17 PM
		To: Dana Spiegel; Kevin Coleman
		Cc: m0n0wall at lists dot m0n0 dot ch
		Subject: Re: [m0n0wall] Setting up HotSpot
		
		I went ahead and changed everything over like you guys
suggested.  My LAN
		    

	is
	  

		now on the LAN interface and my ADSL is now on the WAN
interface and my
		access point is now on the OPT1 interface.  Now the
configuration is as
		follows:
		
		WAN - IP is DHCP assigned by DSL provider LAN - IP is
192.168.1.1/24 OPT -
		IP is 10.10.10.1/24 and DHCP is enabled to give wireless
clients IP
		addresses in a range of 10.10.10.100 - 10.10.10.254
		
		But I can't get the OPT 1 interface working with my wireless
laptop.  I
		doesn't even give out an IP address when I turn the laptop
computer on
		    

	(yes,
	  

		it is configured to get an IP automatically).  I am guessing
it is because
		    

	I
	  

		needed to make a firewall rule,  but for the life of me I
can't figure out
		the right rule I guess.  All I need is the OPT 1 to access
the WAN and NOT
		the LAN.
		
		Any ideas or hints on what I am missing?
		
		Rodman
		
		
		From: "Dana Spiegel" <dana at sociableDESIGN dot com>
<mailto:dana at sociableDESIGN dot com> 
		To: "Kevin Coleman" <kevin at gabu dot com> <mailto:kevin at gabu dot com>

		Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>

		Sent: Tuesday, August 31, 2004 8:59 AM
		Subject: Re: [m0n0wall] Setting up HotSpot
		
		
		    

			I would also rethink your rules below. Only allowing
those ports will
			make the hotspot very unusable.
			
			People put web servers on ports other than 80 and
443 People use IMAP
			People use SMTP (and NYCwireless has a totally
unrestricted network
			where we've never seen a spammer send out millions
of spam messages)
			People use S/POP and S/IMAP People use PPTP and
IPSEC vpns (this is a
			big one, especially since wireless hotspots are
inherently insecure)
			People use SSH (and SSH on ports other than 22)
People use other
			applications that make use of other ports
			
			Really your best bet is to put up the Captive Portal
page, and set up
			your network as Kevin recommends below.
			
			Dana Spiegel
			Director, NYCwireless
			dana at nycwireless dot net
			www.nycwireless.net
			
			<mailto:dana at sociableDESIGN dot com>
<mailto:dana at sociableDESIGN dot com> 
			
			
			Kevin Coleman wrote:
			
			      

				I'd take out the Linksys, put your
192.169.1.0/24 network on the LAN
				interface, your DSL/cable modem on the WAN
interface, and connect
				your Wi-Fi AP to the DMZ interface.
				
				Then create a firewall rule that enables the
DMZ to access the WAN.
				By default, LAN will be able to access the
internet and DMZ will not
				be able to access the LAN.
				
				(K)
				
				-----Original Message-----
				From: Rodman Frowert
[mailto:frowertr at i dash 1 dot net]
				Sent: Monday, August 30, 2004 9:16 PM
				To: m0n0wall at lists dot m0n0 dot ch
				Subject: [m0n0wall] Setting up HotSpot
				
				Hello.  After many hours of labor, I finally
got m0n0 running today.
				I guess it pays to make sure you actually
have a NIC chipset
				supported by FreeBSD...
				
				Anyway, I have a question or two about using
m0n0 with a hotspot I am
				installing in my business.  I have a LAN
behind my Linksys Nat
				router/switch with an IP/subnet range of
192.168.1.0/24.  Only 3
				computers connected to the switch.  What I
am wanting to do is
				connect m0n0 right to the switch on my LAN
(through m0n0 WAN device).
				Then I want to connect my wireless AP to the
m0n0 box.  The problem
				is, I don't know if I should use the
DMZ/OPT1 interface or the LAN
				interface.  I won't need anything connected
to the LAN interface on
				the m0n0 box so could I actually just
connect the AP to the LAN
				interface and my hotspot becomes "another
lan" in effect?
				
				I then need to make sure m0n0 blocks all
access to my actually "real"
				wired
				lan since all I want the wireless clients to
do is surf and not sniff
				my network.  Would I simply need to setup a
rule for the LAN
				interface that would block all outgoing
traffic that had a
				destination of 192.168.1.0/24.
				
				Lastly, I need m0n0 to block access to
everything the wireless
				clients can do except pop3, http, and https.
Would I simply add a
				set of allow rules to the LAN interface
again something to the idea
				of this:
				
				Proto    Source    Port       Destination
Port
				
				TCP      LAN net   *           *
80  (HTTP)
				TCP      LAN net   *           *
110 (POP3)
				TCP      LAN net   *           *
443 (HTTPS)
				
				Then at the bottom of those 3 rules have one
that blocks EVERYTHING
				else?
				
				Thanks in advance for any help, guys!
				
				Rodman Frowert
				
				
	
---------------------------------------------------------------------
				To unsubscribe, e-mail:
m0n0wall dash unsubscribe at lists dot m0n0 dot ch
				For additional commands, e-mail:
m0n0wall dash help at lists dot m0n0 dot ch
				
				
	
---------------------------------------------------------------------
				To unsubscribe, e-mail:
m0n0wall dash unsubscribe at lists dot m0n0 dot ch
				For additional commands, e-mail:
m0n0wall dash help at lists dot m0n0 dot ch
				
				
				
				        

	
---------------------------------------------------------------------
		To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
		For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
		
		
	
---------------------------------------------------------------------
		To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
		For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
		
		
		    

	
	
	
---------------------------------------------------------------------
	To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
	For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch