[ previous ] [ next ] [ threads ]
 
 From:  "Rodman Frowert" <frowertr at i dash 1 dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Setting up HotSpot
 Date:  Thu, 2 Sep 2004 19:27:02 -0500
Why does the destination need to be OPT1, James, for the DNS rule?  Is this
incase the DNS forwarder should not work for some reason?

Rodman
----- Original Message ----- 
From: "James W. McKeand" <james at mckeand dot biz>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, September 02, 2004 8:49 AM
Subject: RE: [m0n0wall] Setting up HotSpot


> Blocking outbound SMTP will break all but one of my three POP3/SMTP
> accounts, preventing me from using the said HotSpot to send email. (The
one
> account that does not use port 25 is not using 587) If this HotSpot is for
> casual users or visitors to an office, blocking outbound port 25 would
> render it email partially useless (I could retrieve, but could not send).
>
> If I was doing this for a client with the purpose of allowing visitors to
an
> office to use internet wirelessly (from the original post from Rodman), I
> would recommend the following outbound ports be open (set to pass):
>
> SMTP - Port 25
> POP3 - Port 110
> POP3 via SSL - Port 995
> IMAP - Port 143
> IMAP via SSL - Port 993
> HTTP - Port 80
> HTTPS - Port 443
> DNS - Port 53 (set the destination address to OPT1 - even with DNS
forwarder
> enabled you do not want the OPT1 interface to drop DNS requests )
>
> I would recommend that all other outbound ports be closed (set to block).
> (i.e. Block "OPT1 subnet":any -> ! "LAN subnet":any)
>
> All of the above rules (except DNS) would have a destination address of
> *not* LAN (! LAN) to protect the LAN subnet from OPT1.
>
> Feedback, anyone...
>
> _________________________________
> James W. McKeand
>
> P.s. Please remove my name from replies - I am getting two copies of each
of
> these emails (one directly - one from List)
>
>
> -----Original Message-----
> From: Mitch (WebCob) [mailto:mitch at webcob dot com]
> Sent: Wednesday, September 01, 2004 6:13 PM
> To: Rodman Frowert; James W. McKeand; 'Dana Spiegel'
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Setting up HotSpot
>
> Lots of people are blocking all standard MS ports - things like the SQL
> server port, etc...
>
> Not sure of the number off the top of my head... also, the SMTP servers...
> people should only be using your own - I'm not talking about 587, which is
> authenticated, I'm talking about 25 - there is no good reason to allow
> people on your network to access another hosts SMTP - this is how some
virii
> / trojans spread or carry out their intended task - probing for open
relays
> etc. Access to remote port 25's should be blocked and only allowed for
> specific destination hosts. Some ISP's are doing this in their
> infrastructure which though a good idea, can be a nasty surprise when they
> don't document it or inform their users.
>
> Modem mail servers allow authenticated only access on port 587 (message
> submission) so that is a safe port to allow communication on.
>
> This stuff should be in a wiki.
>
> How's that wiki coming?
>
> m/
>
> > -----Original Message-----
> > From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> > Sent: Wednesday, September 01, 2004 2:56 PM
> > To: James W. McKeand; 'Dana Spiegel'
> > Cc: m0n0wall at lists dot m0n0 dot ch
> > Subject: Re: [m0n0wall] Setting up HotSpot
> >
> >
> > I assume that I want to block this ports going out of m0n0 because it
> > is already blocked coming into my WAN device, correct?  Basically I am
> > blocking my clients from sending out this requests, correct?
> >
> > Rodman
> > ----- Original Message -----
> > From: "James W. McKeand" <james at mckeand dot biz>
> > To: "'Dana Spiegel'" <dana at sociableDESIGN dot com>; "'Rodman Frowert'"
> > <frowertr at i dash 1 dot net>
> > Cc: <m0n0wall at lists dot m0n0 dot ch>
> > Sent: Wednesday, September 01, 2004 2:01 PM
> > Subject: RE: [m0n0wall] Setting up HotSpot
> >
> >
> > > From http://www.iana.org/assignments/port-numbers (the best list of
> > assigned
> > > ports...)
> > >
> > > netbios-ns      137/tcp    NETBIOS Name Service
> > > netbios-ns      137/udp    NETBIOS Name Service
> > > netbios-dgm     138/tcp    NETBIOS Datagram Service
> > > netbios-dgm     138/udp    NETBIOS Datagram Service
> > > netbios-ssn     139/tcp    NETBIOS Session Service
> > > netbios-ssn     139/udp    NETBIOS Session Service
> > >
> > > I have also heard of blocking:
> > >
> > > epmap           135/tcp    DCE endpoint resolution
> > > epmap           135/udp    DCE endpoint resolution
> > >
> > > And
> > >
> > > microsoft-ds    445/tcp    Microsoft-DS
> > > microsoft-ds    445/udp    Microsoft-DS
> > >
> > > Not sure on the 135
> > >
> > > _________________________________
> > > James W. McKeand
> > >
> > >
> > > ________________________________
> > >
> > > From: Dana Spiegel [mailto:dana at sociableDESIGN dot com]
> > > Sent: Wednesday, September 01, 2004 12:41 PM
> > > To: Rodman Frowert
> > > Cc: James W. McKeand; m0n0wall at lists dot m0n0 dot ch
> > > Subject: Re: [m0n0wall] Setting up HotSpot
> > >
> > >
> > > Telnet blocking is fine (no one should use it) Blocking FTP is your
> > > own choice. I don't think its necessary, but that's entirely up to
> > > you.
> > >
> > > I'd also explicityly block virus ports (I think 135-139, which
> > are popular
> > > windows exploit ports). Does someone want to verify these for me,
> > > since
> > I'm
> > > not sure if they are exactly correct?
> > >
> > > Otherwise, I'd leave everything else open. Also, you might want to
> > > only redirect port 80/443 since those are the only ones where you
> > > can see the TOS. This will allow newer Wi-fi VOIP phones to work
> > > without
> > having to go
> > > through the captive portal (which they obviously can't do
> > without a proper
> > > screen).
> > >
> > >
> > > D a n a   S p i e g e l
> > > s o c i a b l e D E S I G N  ::  www.sociableDESIGN.com
> > > 123 Bank Street, Suite 510, New York, NY 10014 p  +1 917 402 0422
> > > ::  e  dana at sociableDESIGN dot com
> > >
> > >
> > >
> > > Rodman Frowert wrote:
> > >
> > > Well I went ahead and enabled traffic shaper to throttle SMTP
> > > bandwidth as suggested so that if a spammer does come in, he will
> > > only get a 50kbps pipe.
> > > It seems to be working perfectly.  I setup a mask as "source" on the
> > > 50kbps pipe.  According to what I have read, this will allow each
> > > client that connects to get their own 50kbps pipe.  My pipe looks
> > > like this:
> > >
> > >       No. Bandwidth Delay Mask Description
> > >       1 50 Kbit/s     source    50kbps Pipe
> > >
> > >
> > >
> > > And my rule looks like this:
> > >
> > >       If Proto Source Destination Target Description
> > >       Wi-Fi Nic
> > >      TCP  Wi-Fi Nic net  *
> > >       Port: 25 (SMTP)  50kbps Pipe  Mail Up-Stream Throttle
> > >
> > >
> > >
> > > I don't have a way to test if the mask is working as I don't have
> > > two wireless clients I can use to connect.  I guess I could make
> > > another traffic shapping rule for the LAN and test it that way using
> > > a LAN computer and my laptop.  Does everything look good here?
> > >
> > > Also, I am thinking about blocking telnet and FTP access.  I don't
> > > think the everyday user to my hotspot is going to need these
> > > services.  Is there anything else I could be missing.  Because this
> > > is public access, should anything be explicitly blocked or should I
> > > leave it all open and hope for the best?
> > >
> > > Man, the captive portal rocks!.  I uploaded my own TOS agreement and
> > > it looks great.
> > >
> > > Thanks for all your help guys.  I really appreciate it.  I love this
> > > program!  Hopefully I can go "live" by tomorrow.
> > >
> > > Rodman
> > >
> > > ----- Original Message -----
> > > From: "James W. McKeand" <james at mckeand dot biz>
> > > <mailto:james at mckeand dot biz>
> > > To: "'Rodman Frowert'" <frowertr at i dash 1 dot net> <mailto:frowertr at i dash 1 dot net>
> > > Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>
> > > Sent: Tuesday, August 31, 2004 4:37 PM
> > > Subject: RE: [m0n0wall] Setting up HotSpot
> > >
> > >
> > >
> > >
> > > Make a rule for your Opt1 interface with source of Opt1 Subnet (port
> > > any) and a destination not LAN Subnet (port any - for testing) then
> > > restrict destination ports if want.
> > >
> > > _________________________________
> > > James W. McKeand
> > >
> > >
> > > -----Original Message-----
> > > From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> > > Sent: Tuesday, August 31, 2004 5:17 PM
> > > To: Dana Spiegel; Kevin Coleman
> > > Cc: m0n0wall at lists dot m0n0 dot ch
> > > Subject: Re: [m0n0wall] Setting up HotSpot
> > >
> > > I went ahead and changed everything over like you guys suggested.
> > > My LAN
> > >
> > >
> > > is
> > >
> > >
> > > now on the LAN interface and my ADSL is now on the WAN interface and
> > > my access point is now on the OPT1 interface.  Now the configuration
> > > is as
> > > follows:
> > >
> > > WAN - IP is DHCP assigned by DSL provider LAN - IP is
> > > 192.168.1.1/24 OPT -
> > > IP is 10.10.10.1/24 and DHCP is enabled to give wireless clients IP
> > > addresses in a range of 10.10.10.100 - 10.10.10.254
> > >
> > > But I can't get the OPT 1 interface working with my wireless laptop.
> > > I doesn't even give out an IP address when I turn the laptop
> > > computer on
> > >
> > >
> > > (yes,
> > >
> > >
> > > it is configured to get an IP automatically).  I am guessing it is
> > > because
> > >
> > >
> > > I
> > >
> > >
> > > needed to make a firewall rule,  but for the life of me I can't
> > > figure out the right rule I guess.  All I need is the OPT 1 to
> > > access the WAN and NOT the LAN.
> > >
> > > Any ideas or hints on what I am missing?
> > >
> > > Rodman
> > >
> > >
> > > From: "Dana Spiegel" <dana at sociableDESIGN dot com>
> > > <mailto:dana at sociableDESIGN dot com>
> > > To: "Kevin Coleman" <kevin at gabu dot com> <mailto:kevin at gabu dot com>
> > >
> > > Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>
> > >
> > > Sent: Tuesday, August 31, 2004 8:59 AM
> > > Subject: Re: [m0n0wall] Setting up HotSpot
> > >
> > >
> > >
> > >
> > > I would also rethink your rules below. Only allowing those ports
> > > will make the hotspot very unusable.
> > >
> > > People put web servers on ports other than 80 and
> > > 443 People use IMAP
> > > People use SMTP (and NYCwireless has a totally unrestricted network
> > > where we've never seen a spammer send out millions of spam messages)
> > > People use S/POP and S/IMAP People use PPTP and IPSEC vpns (this is
> > > a big one, especially since wireless hotspots are inherently
> > > insecure) People use SSH (and SSH on ports other than 22) People use
> > > other applications that make use of other ports
> > >
> > > Really your best bet is to put up the Captive Portal page, and set
> > > up your network as Kevin recommends below.
> > >
> > > Dana Spiegel
> > > Director, NYCwireless
> > > dana at nycwireless dot net
> > > www.nycwireless.net
> > >
> > > <mailto:dana at sociableDESIGN dot com>
> > > <mailto:dana at sociableDESIGN dot com>
> > >
> > >
> > > Kevin Coleman wrote:
> > >
> > >
> > >
> > > I'd take out the Linksys, put your
> > > 192.169.1.0/24 network on the LAN
> > > interface, your DSL/cable modem on the WAN interface, and connect
> > > your Wi-Fi AP to the DMZ interface.
> > >
> > > Then create a firewall rule that enables the DMZ to access the WAN.
> > > By default, LAN will be able to access the internet and DMZ will not
> > > be able to access the LAN.
> > >
> > > (K)
> > >
> > > -----Original Message-----
> > > From: Rodman Frowert
> > > [mailto:frowertr at i dash 1 dot net]
> > > Sent: Monday, August 30, 2004 9:16 PM
> > > To: m0n0wall at lists dot m0n0 dot ch
> > > Subject: [m0n0wall] Setting up HotSpot
> > >
> > > Hello.  After many hours of labor, I finally got m0n0 running today.
> > > I guess it pays to make sure you actually have a NIC chipset
> > > supported by FreeBSD...
> > >
> > > Anyway, I have a question or two about using m0n0 with a hotspot I
> > > am installing in my business.  I have a LAN behind my Linksys Nat
> > > router/switch with an IP/subnet range of 192.168.1.0/24.  Only 3
> > > computers connected to the switch.  What I am wanting to do is
> > > connect m0n0 right to the switch on my LAN (through m0n0 WAN
> > > device).
> > > Then I want to connect my wireless AP to the m0n0 box.  The problem
> > > is, I don't know if I should use the
> > > DMZ/OPT1 interface or the LAN
> > > interface.  I won't need anything connected to the LAN interface on
> > > the m0n0 box so could I actually just connect the AP to the LAN
> > > interface and my hotspot becomes "another lan" in effect?
> > >
> > > I then need to make sure m0n0 blocks all access to my actually
> > > "real"
> > > wired
> > > lan since all I want the wireless clients to do is surf and not
> > > sniff my network.  Would I simply need to setup a rule for the LAN
> > > interface that would block all outgoing traffic that had a
> > > destination of 192.168.1.0/24.
> > >
> > > Lastly, I need m0n0 to block access to everything the wireless
> > > clients can do except pop3, http, and https.
> > > Would I simply add a
> > > set of allow rules to the LAN interface again something to the idea
> > > of this:
> > >
> > > Proto    Source    Port       Destination
> > > Port
> > >
> > > TCP      LAN net   *           *
> > > 80  (HTTP)
> > > TCP      LAN net   *           *
> > > 110 (POP3)
> > > TCP      LAN net   *           *
> > > 443 (HTTPS)
> > >
> > > Then at the bottom of those 3 rules have one that blocks EVERYTHING
> > > else?
> > >
> > > Thanks in advance for any help, guys!
> > >
> > > Rodman Frowert
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > -
> > > To unsubscribe, e-mail:
> > > m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail:
> > > m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > -
> > > To unsubscribe, e-mail:
> > > m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail:
> > > m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>