Thanks for everyone's help, guys.  It is up and running today for the
public!

Just for kicks, I do have one additional question.  Lets say I wanted to add
a RADIUS server to the mix and only use the hotspot for our employees and
NOT public access.  Instead of adding another OPT interface in the m0n0 box,
couldn't I simply connect the RADIUS server to the same switch the AP's are
on and simply give it an ip address in my 10.10.10.x/24 range I am using for
my hotspot?  Or would it be better to add another OPT device specifically
for this purpose and change the address space to something like
10.10.11.x/24?

The root of the question I am getting to is does one really need a different
OPT device for each different server (i.e. mail, dns, ftp, web, etc...) or
would the one be sufficient?  I know this question also depends on traffic
to the server as I wouldn't want a heavily used web server on the same
interface that is serving my wireless clients as bandwidth problems may
become an issue.

Rodman
----- Original Message ----- 
From: "James W. McKeand" <james at mckeand dot biz>
To: "'Dana Spiegel'" <dana at sociableDESIGN dot com>; "'Rodman Frowert'"
<frowertr at i dash 1 dot net>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, September 01, 2004 2:01 PM
Subject: RE: [m0n0wall] Setting up HotSpot


> From http://www.iana.org/assignments/port-numbers (the best list of
assigned
> ports...)
>
> netbios-ns      137/tcp    NETBIOS Name Service
> netbios-ns      137/udp    NETBIOS Name Service
> netbios-dgm     138/tcp    NETBIOS Datagram Service
> netbios-dgm     138/udp    NETBIOS Datagram Service
> netbios-ssn     139/tcp    NETBIOS Session Service
> netbios-ssn     139/udp    NETBIOS Session Service
>
> I have also heard of blocking:
>
> epmap           135/tcp    DCE endpoint resolution
> epmap           135/udp    DCE endpoint resolution
>
> And
>
> microsoft-ds    445/tcp    Microsoft-DS
> microsoft-ds    445/udp    Microsoft-DS
>
> Not sure on the 135
>
> _________________________________
> James W. McKeand
>
>
> ________________________________
>
> From: Dana Spiegel [mailto:dana at sociableDESIGN dot com]
> Sent: Wednesday, September 01, 2004 12:41 PM
> To: Rodman Frowert
> Cc: James W. McKeand; m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Setting up HotSpot
>
>
> Telnet blocking is fine (no one should use it)
> Blocking FTP is your own choice. I don't think its necessary, but that's
> entirely up to you.
>
> I'd also explicityly block virus ports (I think 135-139, which are popular
> windows exploit ports). Does someone want to verify these for me, since
I'm
> not sure if they are exactly correct?
>
> Otherwise, I'd leave everything else open. Also, you might want to only
> redirect port 80/443 since those are the only ones where you can see the
> TOS. This will allow newer Wi-fi VOIP phones to work without having to go
> through the captive portal (which they obviously can't do without a proper
> screen).
>
>
> D a n a   S p i e g e l
> s o c i a b l e D E S I G N  ::  www.sociableDESIGN.com
> 123 Bank Street, Suite 510, New York, NY 10014
> p  +1 917 402 0422  ::  e  dana at sociableDESIGN dot com
>
>
>
> Rodman Frowert wrote:
>
> Well I went ahead and enabled traffic shaper to throttle SMTP
> bandwidth as
> suggested so that if a spammer does come in, he will only get a
> 50kbps pipe.
> It seems to be working perfectly.  I setup a mask as "source" on the
> 50kbps
> pipe.  According to what I have read, this will allow each client
> that
> connects to get their own 50kbps pipe.  My pipe looks like this:
>
>       No. Bandwidth Delay Mask Description
>       1 50 Kbit/s     source    50kbps Pipe
>
>
>
> And my rule looks like this:
>
>       If Proto Source Destination Target Description
>       Wi-Fi Nic
>      TCP  Wi-Fi Nic net  *
>       Port: 25 (SMTP)  50kbps Pipe  Mail Up-Stream Throttle
>
>
>
> I don't have a way to test if the mask is working as I don't have
> two
> wireless clients I can use to connect.  I guess I could make another
> traffic
> shapping rule for the LAN and test it that way using a LAN computer
> and my
> laptop.  Does everything look good here?
>
> Also, I am thinking about blocking telnet and FTP access.  I don't
> think the
> everyday user to my hotspot is going to need these services.  Is
> there
> anything else I could be missing.  Because this is public access,
> should
> anything be explicitly blocked or should I leave it all open and
> hope for
> the best?
>
> Man, the captive portal rocks!.  I uploaded my own TOS agreement and
> it
> looks great.
>
> Thanks for all your help guys.  I really appreciate it.  I love this
> program!  Hopefully I can go "live" by tomorrow.
>
> Rodman
>
> ----- Original Message -----
> From: "James W. McKeand" <james at mckeand dot biz>
> <mailto:james at mckeand dot biz>
> To: "'Rodman Frowert'" <frowertr at i dash 1 dot net> <mailto:frowertr at i dash 1 dot net>
> Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, August 31, 2004 4:37 PM
> Subject: RE: [m0n0wall] Setting up HotSpot
>
>
>
>
> Make a rule for your Opt1 interface with source of Opt1
> Subnet (port any)
> and a destination not LAN Subnet (port any - for testing)
> then restrict
> destination ports if want.
>
> _________________________________
> James W. McKeand
>
>
> -----Original Message-----
> From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> Sent: Tuesday, August 31, 2004 5:17 PM
> To: Dana Spiegel; Kevin Coleman
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Setting up HotSpot
>
> I went ahead and changed everything over like you guys
> suggested.  My LAN
>
>
> is
>
>
> now on the LAN interface and my ADSL is now on the WAN
> interface and my
> access point is now on the OPT1 interface.  Now the
> configuration is as
> follows:
>
> WAN - IP is DHCP assigned by DSL provider LAN - IP is
> 192.168.1.1/24 OPT -
> IP is 10.10.10.1/24 and DHCP is enabled to give wireless
> clients IP
> addresses in a range of 10.10.10.100 - 10.10.10.254
>
> But I can't get the OPT 1 interface working with my wireless
> laptop.  I
> doesn't even give out an IP address when I turn the laptop
> computer on
>
>
> (yes,
>
>
> it is configured to get an IP automatically).  I am guessing
> it is because
>
>
> I
>
>
> needed to make a firewall rule,  but for the life of me I
> can't figure out
> the right rule I guess.  All I need is the OPT 1 to access
> the WAN and NOT
> the LAN.
>
> Any ideas or hints on what I am missing?
>
> Rodman
>
>
> From: "Dana Spiegel" <dana at sociableDESIGN dot com>
> <mailto:dana at sociableDESIGN dot com>
> To: "Kevin Coleman" <kevin at gabu dot com> <mailto:kevin at gabu dot com>
>
> Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>
>
> Sent: Tuesday, August 31, 2004 8:59 AM
> Subject: Re: [m0n0wall] Setting up HotSpot
>
>
>
>
> I would also rethink your rules below. Only allowing
> those ports will
> make the hotspot very unusable.
>
> People put web servers on ports other than 80 and
> 443 People use IMAP
> People use SMTP (and NYCwireless has a totally
> unrestricted network
> where we've never seen a spammer send out millions
> of spam messages)
> People use S/POP and S/IMAP People use PPTP and
> IPSEC vpns (this is a
> big one, especially since wireless hotspots are
> inherently insecure)
> People use SSH (and SSH on ports other than 22)
> People use other
> applications that make use of other ports
>
> Really your best bet is to put up the Captive Portal
> page, and set up
> your network as Kevin recommends below.
>
> Dana Spiegel
> Director, NYCwireless
> dana at nycwireless dot net
> www.nycwireless.net
>
> <mailto:dana at sociableDESIGN dot com>
> <mailto:dana at sociableDESIGN dot com>
>
>
> Kevin Coleman wrote:
>
>
>
> I'd take out the Linksys, put your
> 192.169.1.0/24 network on the LAN
> interface, your DSL/cable modem on the WAN
> interface, and connect
> your Wi-Fi AP to the DMZ interface.
>
> Then create a firewall rule that enables the
> DMZ to access the WAN.
> By default, LAN will be able to access the
> internet and DMZ will not
> be able to access the LAN.
>
> (K)
>
> -----Original Message-----
> From: Rodman Frowert
> [mailto:frowertr at i dash 1 dot net]
> Sent: Monday, August 30, 2004 9:16 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] Setting up HotSpot
>
> Hello.  After many hours of labor, I finally
> got m0n0 running today.
> I guess it pays to make sure you actually
> have a NIC chipset
> supported by FreeBSD...
>
> Anyway, I have a question or two about using
> m0n0 with a hotspot I am
> installing in my business.  I have a LAN
> behind my Linksys Nat
> router/switch with an IP/subnet range of
> 192.168.1.0/24.  Only 3
> computers connected to the switch.  What I
> am wanting to do is
> connect m0n0 right to the switch on my LAN
> (through m0n0 WAN device).
> Then I want to connect my wireless AP to the
> m0n0 box.  The problem
> is, I don't know if I should use the
> DMZ/OPT1 interface or the LAN
> interface.  I won't need anything connected
> to the LAN interface on
> the m0n0 box so could I actually just
> connect the AP to the LAN
> interface and my hotspot becomes "another
> lan" in effect?
>
> I then need to make sure m0n0 blocks all
> access to my actually "real"
> wired
> lan since all I want the wireless clients to
> do is surf and not sniff
> my network.  Would I simply need to setup a
> rule for the LAN
> interface that would block all outgoing
> traffic that had a
> destination of 192.168.1.0/24.
>
> Lastly, I need m0n0 to block access to
> everything the wireless
> clients can do except pop3, http, and https.
> Would I simply add a
> set of allow rules to the LAN interface
> again something to the idea
> of this:
>
> Proto    Source    Port       Destination
> Port
>
> TCP      LAN net   *           *
> 80  (HTTP)
> TCP      LAN net   *           *
> 110 (POP3)
> TCP      LAN net   *           *
> 443 (HTTPS)
>
> Then at the bottom of those 3 rules have one
> that blocks EVERYTHING
> else?
>
> Thanks in advance for any help, guys!
>
> Rodman Frowert
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail:
> m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail:
> m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>