[ previous ] [ next ] [ threads ]
 
 From:  "Mitch \(WebCob\)" <mitch at webcob dot com>
 To:  "Rodman Frowert" <frowertr at i dash 1 dot net>, "James W. McKeand" <james at mckeand dot biz>, "'Dana Spiegel'" <dana at sociableDESIGN dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Setting up HotSpot
 Date:  Wed, 1 Sep 2004 15:13:06 -0700 
Lots of people are blocking all standard MS ports - things like the SQL
server port, etc...

Not sure of the number off the top of my head... also, the SMTP servers...
people should only be using your own - I'm not talking about 587, which is
authenticated, I'm talking about 25 - there is no good reason to allow
people on your network to access another hosts SMTP - this is how some virii
/ trojans spread or carry out their intended task - probing for open relays
etc. Access to remote port 25's should be blocked and only allowed for
specific destination hosts. Some ISP's are doing this in their
infrastructure which though a good idea, can be a nasty surprise when they
don't document it or inform their users.

Modem mail servers allow authenticated only access on port 587 (message
submission) so that is a safe port to allow communication on.

This stuff should be in a wiki.

How's that wiki coming?

m/

> -----Original Message-----
> From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> Sent: Wednesday, September 01, 2004 2:56 PM
> To: James W. McKeand; 'Dana Spiegel'
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Setting up HotSpot
>
>
> I assume that I want to block this ports going out of m0n0 because it is
> already blocked coming into my WAN device, correct?  Basically I
> am blocking
> my clients from sending out this requests, correct?
>
> Rodman
> ----- Original Message -----
> From: "James W. McKeand" <james at mckeand dot biz>
> To: "'Dana Spiegel'" <dana at sociableDESIGN dot com>; "'Rodman Frowert'"
> <frowertr at i dash 1 dot net>
> Cc: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Wednesday, September 01, 2004 2:01 PM
> Subject: RE: [m0n0wall] Setting up HotSpot
>
>
> > From http://www.iana.org/assignments/port-numbers (the best list of
> assigned
> > ports...)
> >
> > netbios-ns      137/tcp    NETBIOS Name Service
> > netbios-ns      137/udp    NETBIOS Name Service
> > netbios-dgm     138/tcp    NETBIOS Datagram Service
> > netbios-dgm     138/udp    NETBIOS Datagram Service
> > netbios-ssn     139/tcp    NETBIOS Session Service
> > netbios-ssn     139/udp    NETBIOS Session Service
> >
> > I have also heard of blocking:
> >
> > epmap           135/tcp    DCE endpoint resolution
> > epmap           135/udp    DCE endpoint resolution
> >
> > And
> >
> > microsoft-ds    445/tcp    Microsoft-DS
> > microsoft-ds    445/udp    Microsoft-DS
> >
> > Not sure on the 135
> >
> > _________________________________
> > James W. McKeand
> >
> >
> > ________________________________
> >
> > From: Dana Spiegel [mailto:dana at sociableDESIGN dot com]
> > Sent: Wednesday, September 01, 2004 12:41 PM
> > To: Rodman Frowert
> > Cc: James W. McKeand; m0n0wall at lists dot m0n0 dot ch
> > Subject: Re: [m0n0wall] Setting up HotSpot
> >
> >
> > Telnet blocking is fine (no one should use it)
> > Blocking FTP is your own choice. I don't think its necessary, but that's
> > entirely up to you.
> >
> > I'd also explicityly block virus ports (I think 135-139, which
> are popular
> > windows exploit ports). Does someone want to verify these for me, since
> I'm
> > not sure if they are exactly correct?
> >
> > Otherwise, I'd leave everything else open. Also, you might want to only
> > redirect port 80/443 since those are the only ones where you can see the
> > TOS. This will allow newer Wi-fi VOIP phones to work without
> having to go
> > through the captive portal (which they obviously can't do
> without a proper
> > screen).
> >
> >
> > D a n a   S p i e g e l
> > s o c i a b l e D E S I G N  ::  www.sociableDESIGN.com
> > 123 Bank Street, Suite 510, New York, NY 10014
> > p  +1 917 402 0422  ::  e  dana at sociableDESIGN dot com
> >
> >
> >
> > Rodman Frowert wrote:
> >
> > Well I went ahead and enabled traffic shaper to throttle SMTP
> > bandwidth as
> > suggested so that if a spammer does come in, he will only get a
> > 50kbps pipe.
> > It seems to be working perfectly.  I setup a mask as "source" on the
> > 50kbps
> > pipe.  According to what I have read, this will allow each client
> > that
> > connects to get their own 50kbps pipe.  My pipe looks like this:
> >
> >       No. Bandwidth Delay Mask Description
> >       1 50 Kbit/s     source    50kbps Pipe
> >
> >
> >
> > And my rule looks like this:
> >
> >       If Proto Source Destination Target Description
> >       Wi-Fi Nic
> >      TCP  Wi-Fi Nic net  *
> >       Port: 25 (SMTP)  50kbps Pipe  Mail Up-Stream Throttle
> >
> >
> >
> > I don't have a way to test if the mask is working as I don't have
> > two
> > wireless clients I can use to connect.  I guess I could make another
> > traffic
> > shapping rule for the LAN and test it that way using a LAN computer
> > and my
> > laptop.  Does everything look good here?
> >
> > Also, I am thinking about blocking telnet and FTP access.  I don't
> > think the
> > everyday user to my hotspot is going to need these services.  Is
> > there
> > anything else I could be missing.  Because this is public access,
> > should
> > anything be explicitly blocked or should I leave it all open and
> > hope for
> > the best?
> >
> > Man, the captive portal rocks!.  I uploaded my own TOS agreement and
> > it
> > looks great.
> >
> > Thanks for all your help guys.  I really appreciate it.  I love this
> > program!  Hopefully I can go "live" by tomorrow.
> >
> > Rodman
> >
> > ----- Original Message -----
> > From: "James W. McKeand" <james at mckeand dot biz>
> > <mailto:james at mckeand dot biz>
> > To: "'Rodman Frowert'" <frowertr at i dash 1 dot net> <mailto:frowertr at i dash 1 dot net>
> > Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>
> > Sent: Tuesday, August 31, 2004 4:37 PM
> > Subject: RE: [m0n0wall] Setting up HotSpot
> >
> >
> >
> >
> > Make a rule for your Opt1 interface with source of Opt1
> > Subnet (port any)
> > and a destination not LAN Subnet (port any - for testing)
> > then restrict
> > destination ports if want.
> >
> > _________________________________
> > James W. McKeand
> >
> >
> > -----Original Message-----
> > From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> > Sent: Tuesday, August 31, 2004 5:17 PM
> > To: Dana Spiegel; Kevin Coleman
> > Cc: m0n0wall at lists dot m0n0 dot ch
> > Subject: Re: [m0n0wall] Setting up HotSpot
> >
> > I went ahead and changed everything over like you guys
> > suggested.  My LAN
> >
> >
> > is
> >
> >
> > now on the LAN interface and my ADSL is now on the WAN
> > interface and my
> > access point is now on the OPT1 interface.  Now the
> > configuration is as
> > follows:
> >
> > WAN - IP is DHCP assigned by DSL provider LAN - IP is
> > 192.168.1.1/24 OPT -
> > IP is 10.10.10.1/24 and DHCP is enabled to give wireless
> > clients IP
> > addresses in a range of 10.10.10.100 - 10.10.10.254
> >
> > But I can't get the OPT 1 interface working with my wireless
> > laptop.  I
> > doesn't even give out an IP address when I turn the laptop
> > computer on
> >
> >
> > (yes,
> >
> >
> > it is configured to get an IP automatically).  I am guessing
> > it is because
> >
> >
> > I
> >
> >
> > needed to make a firewall rule,  but for the life of me I
> > can't figure out
> > the right rule I guess.  All I need is the OPT 1 to access
> > the WAN and NOT
> > the LAN.
> >
> > Any ideas or hints on what I am missing?
> >
> > Rodman
> >
> >
> > From: "Dana Spiegel" <dana at sociableDESIGN dot com>
> > <mailto:dana at sociableDESIGN dot com>
> > To: "Kevin Coleman" <kevin at gabu dot com> <mailto:kevin at gabu dot com>
> >
> > Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>
> >
> > Sent: Tuesday, August 31, 2004 8:59 AM
> > Subject: Re: [m0n0wall] Setting up HotSpot
> >
> >
> >
> >
> > I would also rethink your rules below. Only allowing
> > those ports will
> > make the hotspot very unusable.
> >
> > People put web servers on ports other than 80 and
> > 443 People use IMAP
> > People use SMTP (and NYCwireless has a totally
> > unrestricted network
> > where we've never seen a spammer send out millions
> > of spam messages)
> > People use S/POP and S/IMAP People use PPTP and
> > IPSEC vpns (this is a
> > big one, especially since wireless hotspots are
> > inherently insecure)
> > People use SSH (and SSH on ports other than 22)
> > People use other
> > applications that make use of other ports
> >
> > Really your best bet is to put up the Captive Portal
> > page, and set up
> > your network as Kevin recommends below.
> >
> > Dana Spiegel
> > Director, NYCwireless
> > dana at nycwireless dot net
> > www.nycwireless.net
> >
> > <mailto:dana at sociableDESIGN dot com>
> > <mailto:dana at sociableDESIGN dot com>
> >
> >
> > Kevin Coleman wrote:
> >
> >
> >
> > I'd take out the Linksys, put your
> > 192.169.1.0/24 network on the LAN
> > interface, your DSL/cable modem on the WAN
> > interface, and connect
> > your Wi-Fi AP to the DMZ interface.
> >
> > Then create a firewall rule that enables the
> > DMZ to access the WAN.
> > By default, LAN will be able to access the
> > internet and DMZ will not
> > be able to access the LAN.
> >
> > (K)
> >
> > -----Original Message-----
> > From: Rodman Frowert
> > [mailto:frowertr at i dash 1 dot net]
> > Sent: Monday, August 30, 2004 9:16 PM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: [m0n0wall] Setting up HotSpot
> >
> > Hello.  After many hours of labor, I finally
> > got m0n0 running today.
> > I guess it pays to make sure you actually
> > have a NIC chipset
> > supported by FreeBSD...
> >
> > Anyway, I have a question or two about using
> > m0n0 with a hotspot I am
> > installing in my business.  I have a LAN
> > behind my Linksys Nat
> > router/switch with an IP/subnet range of
> > 192.168.1.0/24.  Only 3
> > computers connected to the switch.  What I
> > am wanting to do is
> > connect m0n0 right to the switch on my LAN
> > (through m0n0 WAN device).
> > Then I want to connect my wireless AP to the
> > m0n0 box.  The problem
> > is, I don't know if I should use the
> > DMZ/OPT1 interface or the LAN
> > interface.  I won't need anything connected
> > to the LAN interface on
> > the m0n0 box so could I actually just
> > connect the AP to the LAN
> > interface and my hotspot becomes "another
> > lan" in effect?
> >
> > I then need to make sure m0n0 blocks all
> > access to my actually "real"
> > wired
> > lan since all I want the wireless clients to
> > do is surf and not sniff
> > my network.  Would I simply need to setup a
> > rule for the LAN
> > interface that would block all outgoing
> > traffic that had a
> > destination of 192.168.1.0/24.
> >
> > Lastly, I need m0n0 to block access to
> > everything the wireless
> > clients can do except pop3, http, and https.
> > Would I simply add a
> > set of allow rules to the LAN interface
> > again something to the idea
> > of this:
> >
> > Proto    Source    Port       Destination
> > Port
> >
> > TCP      LAN net   *           *
> > 80  (HTTP)
> > TCP      LAN net   *           *
> > 110 (POP3)
> > TCP      LAN net   *           *
> > 443 (HTTPS)
> >
> > Then at the bottom of those 3 rules have one
> > that blocks EVERYTHING
> > else?
> >
> > Thanks in advance for any help, guys!
> >
> > Rodman Frowert
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail:
> > m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail:
> > m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>