[ previous ] [ next ] [ threads ]
 
 From:  Dana Spiegel <dana at sociableDESIGN dot com>
 To:  Rodman Frowert <frowertr at i dash 1 dot net>
 Cc:  "James W. McKeand" <james at mckeand dot biz>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Setting up HotSpot
 Date:  Wed, 01 Sep 2004 18:10:23 -0400
correct.

*D a n a   S p i e g e l*
*s o c i a b l e D E S I G N*  *::*  *www.sociableDESIGN.com 
<http://www.sociableDESIGN.com>*
123 Bank Street, Suite 510, New York, NY 10014
p  +1 917 402 0422  ::  e  dana at sociableDESIGN dot com 
<mailto:dana at sociableDESIGN dot com>


Rodman Frowert wrote:

>I assume that I want to block this ports going out of m0n0 because it is
>already blocked coming into my WAN device, correct?  Basically I am blocking
>my clients from sending out this requests, correct?
>
>Rodman
>----- Original Message ----- 
>From: "James W. McKeand" <james at mckeand dot biz>
>To: "'Dana Spiegel'" <dana at sociableDESIGN dot com>; "'Rodman Frowert'"
><frowertr at i dash 1 dot net>
>Cc: <m0n0wall at lists dot m0n0 dot ch>
>Sent: Wednesday, September 01, 2004 2:01 PM
>Subject: RE: [m0n0wall] Setting up HotSpot
>
>
>  
>
>>From http://www.iana.org/assignments/port-numbers (the best list of
>>    
>>
>assigned
>  
>
>>ports...)
>>
>>netbios-ns      137/tcp    NETBIOS Name Service
>>netbios-ns      137/udp    NETBIOS Name Service
>>netbios-dgm     138/tcp    NETBIOS Datagram Service
>>netbios-dgm     138/udp    NETBIOS Datagram Service
>>netbios-ssn     139/tcp    NETBIOS Session Service
>>netbios-ssn     139/udp    NETBIOS Session Service
>>
>>I have also heard of blocking:
>>
>>epmap           135/tcp    DCE endpoint resolution
>>epmap           135/udp    DCE endpoint resolution
>>
>>And
>>
>>microsoft-ds    445/tcp    Microsoft-DS
>>microsoft-ds    445/udp    Microsoft-DS
>>
>>Not sure on the 135
>>
>>_________________________________
>>James W. McKeand
>>
>>
>>________________________________
>>
>>From: Dana Spiegel [mailto:dana at sociableDESIGN dot com]
>>Sent: Wednesday, September 01, 2004 12:41 PM
>>To: Rodman Frowert
>>Cc: James W. McKeand; m0n0wall at lists dot m0n0 dot ch
>>Subject: Re: [m0n0wall] Setting up HotSpot
>>
>>
>>Telnet blocking is fine (no one should use it)
>>Blocking FTP is your own choice. I don't think its necessary, but that's
>>entirely up to you.
>>
>>I'd also explicityly block virus ports (I think 135-139, which are popular
>>windows exploit ports). Does someone want to verify these for me, since
>>    
>>
>I'm
>  
>
>>not sure if they are exactly correct?
>>
>>Otherwise, I'd leave everything else open. Also, you might want to only
>>redirect port 80/443 since those are the only ones where you can see the
>>TOS. This will allow newer Wi-fi VOIP phones to work without having to go
>>through the captive portal (which they obviously can't do without a proper
>>screen).
>>
>>
>>D a n a   S p i e g e l
>>s o c i a b l e D E S I G N  ::  www.sociableDESIGN.com
>>123 Bank Street, Suite 510, New York, NY 10014
>>p  +1 917 402 0422  ::  e  dana at sociableDESIGN dot com
>>
>>
>>
>>Rodman Frowert wrote:
>>
>>Well I went ahead and enabled traffic shaper to throttle SMTP
>>bandwidth as
>>suggested so that if a spammer does come in, he will only get a
>>50kbps pipe.
>>It seems to be working perfectly.  I setup a mask as "source" on the
>>50kbps
>>pipe.  According to what I have read, this will allow each client
>>that
>>connects to get their own 50kbps pipe.  My pipe looks like this:
>>
>>      No. Bandwidth Delay Mask Description
>>      1 50 Kbit/s     source    50kbps Pipe
>>
>>
>>
>>And my rule looks like this:
>>
>>      If Proto Source Destination Target Description
>>      Wi-Fi Nic
>>     TCP  Wi-Fi Nic net  *
>>      Port: 25 (SMTP)  50kbps Pipe  Mail Up-Stream Throttle
>>
>>
>>
>>I don't have a way to test if the mask is working as I don't have
>>two
>>wireless clients I can use to connect.  I guess I could make another
>>traffic
>>shapping rule for the LAN and test it that way using a LAN computer
>>and my
>>laptop.  Does everything look good here?
>>
>>Also, I am thinking about blocking telnet and FTP access.  I don't
>>think the
>>everyday user to my hotspot is going to need these services.  Is
>>there
>>anything else I could be missing.  Because this is public access,
>>should
>>anything be explicitly blocked or should I leave it all open and
>>hope for
>>the best?
>>
>>Man, the captive portal rocks!.  I uploaded my own TOS agreement and
>>it
>>looks great.
>>
>>Thanks for all your help guys.  I really appreciate it.  I love this
>>program!  Hopefully I can go "live" by tomorrow.
>>
>>Rodman
>>
>>----- Original Message -----
>>From: "James W. McKeand" <james at mckeand dot biz>
>><mailto:james at mckeand dot biz>
>>To: "'Rodman Frowert'" <frowertr at i dash 1 dot net> <mailto:frowertr at i dash 1 dot net>
>>Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>
>>Sent: Tuesday, August 31, 2004 4:37 PM
>>Subject: RE: [m0n0wall] Setting up HotSpot
>>
>>
>>
>>
>>Make a rule for your Opt1 interface with source of Opt1
>>Subnet (port any)
>>and a destination not LAN Subnet (port any - for testing)
>>then restrict
>>destination ports if want.
>>
>>_________________________________
>>James W. McKeand
>>
>>
>>-----Original Message-----
>>From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
>>Sent: Tuesday, August 31, 2004 5:17 PM
>>To: Dana Spiegel; Kevin Coleman
>>Cc: m0n0wall at lists dot m0n0 dot ch
>>Subject: Re: [m0n0wall] Setting up HotSpot
>>
>>I went ahead and changed everything over like you guys
>>suggested.  My LAN
>>
>>
>>is
>>
>>
>>now on the LAN interface and my ADSL is now on the WAN
>>interface and my
>>access point is now on the OPT1 interface.  Now the
>>configuration is as
>>follows:
>>
>>WAN - IP is DHCP assigned by DSL provider LAN - IP is
>>192.168.1.1/24 OPT -
>>IP is 10.10.10.1/24 and DHCP is enabled to give wireless
>>clients IP
>>addresses in a range of 10.10.10.100 - 10.10.10.254
>>
>>But I can't get the OPT 1 interface working with my wireless
>>laptop.  I
>>doesn't even give out an IP address when I turn the laptop
>>computer on
>>
>>
>>(yes,
>>
>>
>>it is configured to get an IP automatically).  I am guessing
>>it is because
>>
>>
>>I
>>
>>
>>needed to make a firewall rule,  but for the life of me I
>>can't figure out
>>the right rule I guess.  All I need is the OPT 1 to access
>>the WAN and NOT
>>the LAN.
>>
>>Any ideas or hints on what I am missing?
>>
>>Rodman
>>
>>
>>From: "Dana Spiegel" <dana at sociableDESIGN dot com>
>><mailto:dana at sociableDESIGN dot com>
>>To: "Kevin Coleman" <kevin at gabu dot com> <mailto:kevin at gabu dot com>
>>
>>Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>
>>
>>Sent: Tuesday, August 31, 2004 8:59 AM
>>Subject: Re: [m0n0wall] Setting up HotSpot
>>
>>
>>
>>
>>I would also rethink your rules below. Only allowing
>>those ports will
>>make the hotspot very unusable.
>>
>>People put web servers on ports other than 80 and
>>443 People use IMAP
>>People use SMTP (and NYCwireless has a totally
>>unrestricted network
>>where we've never seen a spammer send out millions
>>of spam messages)
>>People use S/POP and S/IMAP People use PPTP and
>>IPSEC vpns (this is a
>>big one, especially since wireless hotspots are
>>inherently insecure)
>>People use SSH (and SSH on ports other than 22)
>>People use other
>>applications that make use of other ports
>>
>>Really your best bet is to put up the Captive Portal
>>page, and set up
>>your network as Kevin recommends below.
>>
>>Dana Spiegel
>>Director, NYCwireless
>>dana at nycwireless dot net
>>www.nycwireless.net
>>
>><mailto:dana at sociableDESIGN dot com>
>><mailto:dana at sociableDESIGN dot com>
>>
>>
>>Kevin Coleman wrote:
>>
>>
>>
>>I'd take out the Linksys, put your
>>192.169.1.0/24 network on the LAN
>>interface, your DSL/cable modem on the WAN
>>interface, and connect
>>your Wi-Fi AP to the DMZ interface.
>>
>>Then create a firewall rule that enables the
>>DMZ to access the WAN.
>>By default, LAN will be able to access the
>>internet and DMZ will not
>>be able to access the LAN.
>>
>>(K)
>>
>>-----Original Message-----
>>From: Rodman Frowert
>>[mailto:frowertr at i dash 1 dot net]
>>Sent: Monday, August 30, 2004 9:16 PM
>>To: m0n0wall at lists dot m0n0 dot ch
>>Subject: [m0n0wall] Setting up HotSpot
>>
>>Hello.  After many hours of labor, I finally
>>got m0n0 running today.
>>I guess it pays to make sure you actually
>>have a NIC chipset
>>supported by FreeBSD...
>>
>>Anyway, I have a question or two about using
>>m0n0 with a hotspot I am
>>installing in my business.  I have a LAN
>>behind my Linksys Nat
>>router/switch with an IP/subnet range of
>>192.168.1.0/24.  Only 3
>>computers connected to the switch.  What I
>>am wanting to do is
>>connect m0n0 right to the switch on my LAN
>>(through m0n0 WAN device).
>>Then I want to connect my wireless AP to the
>>m0n0 box.  The problem
>>is, I don't know if I should use the
>>DMZ/OPT1 interface or the LAN
>>interface.  I won't need anything connected
>>to the LAN interface on
>>the m0n0 box so could I actually just
>>connect the AP to the LAN
>>interface and my hotspot becomes "another
>>lan" in effect?
>>
>>I then need to make sure m0n0 blocks all
>>access to my actually "real"
>>wired
>>lan since all I want the wireless clients to
>>do is surf and not sniff
>>my network.  Would I simply need to setup a
>>rule for the LAN
>>interface that would block all outgoing
>>traffic that had a
>>destination of 192.168.1.0/24.
>>
>>Lastly, I need m0n0 to block access to
>>everything the wireless
>>clients can do except pop3, http, and https.
>>Would I simply add a
>>set of allow rules to the LAN interface
>>again something to the idea
>>of this:
>>
>>Proto    Source    Port       Destination
>>Port
>>
>>TCP      LAN net   *           *
>>80  (HTTP)
>>TCP      LAN net   *           *
>>110 (POP3)
>>TCP      LAN net   *           *
>>443 (HTTPS)
>>
>>Then at the bottom of those 3 rules have one
>>that blocks EVERYTHING
>>else?
>>
>>Thanks in advance for any help, guys!
>>
>>Rodman Frowert
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail:
>>m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail:
>>m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail:
>>m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail:
>>m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>    
>>
>
>  
>