[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Setting up HotSpot
 Date:  Fri, 3 Sep 2004 09:15:10 -0400
The DHCP on your OPT1 will give out the OPT1 IP as the DNS to clients. Thus,
the client machines will send DNS request to the OPT1 interface with a
destination of the OPT1 IP. If you have a block all rule and do not specify
that DNS is allowed to the OPT1 interface, wouldn't the DNS request will be
blocked? Remember the rules on each interface are checked from top to
bottom, if a packet matches a rule it is allowed (or blocked).

So, here is my thought process: packet comes in on OPT1 interface destined
to the OPT1 IP for DNS resolution. The packet does not match any of the
HTTP, HTTPS, POP3, or other *PASS* rules. The block *ALL* rule silently
drops the packet. No DNS.

If I am mistaken, please someone correct me...

Sorry if I am rambling am only half way through my first cup of coffee...

_________________________________
James W. McKeand


-----Original Message-----
From: Rodman Frowert [mailto:frowertr at i dash 1 dot net] 
Sent: Thursday, September 02, 2004 8:27 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Setting up HotSpot

Why does the destination need to be OPT1, James, for the DNS rule?  Is this
incase the DNS forwarder should not work for some reason?

Rodman
----- Original Message -----
From: "James W. McKeand" <james at mckeand dot biz>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, September 02, 2004 8:49 AM
Subject: RE: [m0n0wall] Setting up HotSpot


> Blocking outbound SMTP will break all but one of my three POP3/SMTP 
> accounts, preventing me from using the said HotSpot to send email. 
> (The
one
> account that does not use port 25 is not using 587) If this HotSpot is 
> for casual users or visitors to an office, blocking outbound port 25 
> would render it email partially useless (I could retrieve, but could not
send).
>
> If I was doing this for a client with the purpose of allowing visitors 
> to
an
> office to use internet wirelessly (from the original post from 
> Rodman), I would recommend the following outbound ports be open (set to
pass):
>
> SMTP - Port 25
> POP3 - Port 110
> POP3 via SSL - Port 995
> IMAP - Port 143
> IMAP via SSL - Port 993
> HTTP - Port 80
> HTTPS - Port 443
> DNS - Port 53 (set the destination address to OPT1 - even with DNS
forwarder
> enabled you do not want the OPT1 interface to drop DNS requests )
>
> I would recommend that all other outbound ports be closed (set to block).
> (i.e. Block "OPT1 subnet":any -> ! "LAN subnet":any)
>
> All of the above rules (except DNS) would have a destination address 
> of
> *not* LAN (! LAN) to protect the LAN subnet from OPT1.
>
> Feedback, anyone...
>
> _________________________________
> James W. McKeand
>
> P.s. Please remove my name from replies - I am getting two copies of 
> each
of
> these emails (one directly - one from List)
>
>
> -----Original Message-----
> From: Mitch (WebCob) [mailto:mitch at webcob dot com]
> Sent: Wednesday, September 01, 2004 6:13 PM
> To: Rodman Frowert; James W. McKeand; 'Dana Spiegel'
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] Setting up HotSpot
>
> Lots of people are blocking all standard MS ports - things like the 
> SQL server port, etc...
>
> Not sure of the number off the top of my head... also, the SMTP servers...
> people should only be using your own - I'm not talking about 587, 
> which is authenticated, I'm talking about 25 - there is no good reason 
> to allow people on your network to access another hosts SMTP - this is 
> how some
virii
> / trojans spread or carry out their intended task - probing for open
relays
> etc. Access to remote port 25's should be blocked and only allowed for 
> specific destination hosts. Some ISP's are doing this in their 
> infrastructure which though a good idea, can be a nasty surprise when 
> they don't document it or inform their users.
>
> Modem mail servers allow authenticated only access on port 587 
> (message
> submission) so that is a safe port to allow communication on.
>
> This stuff should be in a wiki.
>
> How's that wiki coming?
>
> m/
>
> > -----Original Message-----
> > From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> > Sent: Wednesday, September 01, 2004 2:56 PM
> > To: James W. McKeand; 'Dana Spiegel'
> > Cc: m0n0wall at lists dot m0n0 dot ch
> > Subject: Re: [m0n0wall] Setting up HotSpot
> >
> >
> > I assume that I want to block this ports going out of m0n0 because 
> > it is already blocked coming into my WAN device, correct?  Basically 
> > I am blocking my clients from sending out this requests, correct?
> >
> > Rodman
> > ----- Original Message -----
> > From: "James W. McKeand" <james at mckeand dot biz>
> > To: "'Dana Spiegel'" <dana at sociableDESIGN dot com>; "'Rodman Frowert'"
> > <frowertr at i dash 1 dot net>
> > Cc: <m0n0wall at lists dot m0n0 dot ch>
> > Sent: Wednesday, September 01, 2004 2:01 PM
> > Subject: RE: [m0n0wall] Setting up HotSpot
> >
> >
> > > From http://www.iana.org/assignments/port-numbers (the best list 
> > > of
> > assigned
> > > ports...)
> > >
> > > netbios-ns      137/tcp    NETBIOS Name Service
> > > netbios-ns      137/udp    NETBIOS Name Service
> > > netbios-dgm     138/tcp    NETBIOS Datagram Service
> > > netbios-dgm     138/udp    NETBIOS Datagram Service
> > > netbios-ssn     139/tcp    NETBIOS Session Service
> > > netbios-ssn     139/udp    NETBIOS Session Service
> > >
> > > I have also heard of blocking:
> > >
> > > epmap           135/tcp    DCE endpoint resolution
> > > epmap           135/udp    DCE endpoint resolution
> > >
> > > And
> > >
> > > microsoft-ds    445/tcp    Microsoft-DS
> > > microsoft-ds    445/udp    Microsoft-DS
> > >
> > > Not sure on the 135
> > >
> > > _________________________________
> > > James W. McKeand
> > >
> > >
> > > ________________________________
> > >
> > > From: Dana Spiegel [mailto:dana at sociableDESIGN dot com]
> > > Sent: Wednesday, September 01, 2004 12:41 PM
> > > To: Rodman Frowert
> > > Cc: James W. McKeand; m0n0wall at lists dot m0n0 dot ch
> > > Subject: Re: [m0n0wall] Setting up HotSpot
> > >
> > >
> > > Telnet blocking is fine (no one should use it) Blocking FTP is 
> > > your own choice. I don't think its necessary, but that's entirely 
> > > up to you.
> > >
> > > I'd also explicityly block virus ports (I think 135-139, which
> > are popular
> > > windows exploit ports). Does someone want to verify these for me, 
> > > since
> > I'm
> > > not sure if they are exactly correct?
> > >
> > > Otherwise, I'd leave everything else open. Also, you might want to 
> > > only redirect port 80/443 since those are the only ones where you 
> > > can see the TOS. This will allow newer Wi-fi VOIP phones to work 
> > > without
> > having to go
> > > through the captive portal (which they obviously can't do
> > without a proper
> > > screen).
> > >
> > >
> > > D a n a   S p i e g e l
> > > s o c i a b l e D E S I G N  ::  www.sociableDESIGN.com
> > > 123 Bank Street, Suite 510, New York, NY 10014 p  +1 917 402 0422
> > > ::  e  dana at sociableDESIGN dot com
> > >
> > >
> > >
> > > Rodman Frowert wrote:
> > >
> > > Well I went ahead and enabled traffic shaper to throttle SMTP 
> > > bandwidth as suggested so that if a spammer does come in, he will 
> > > only get a 50kbps pipe.
> > > It seems to be working perfectly.  I setup a mask as "source" on 
> > > the 50kbps pipe.  According to what I have read, this will allow 
> > > each client that connects to get their own 50kbps pipe.  My pipe 
> > > looks like this:
> > >
> > >       No. Bandwidth Delay Mask Description
> > >       1 50 Kbit/s     source    50kbps Pipe
> > >
> > >
> > >
> > > And my rule looks like this:
> > >
> > >       If Proto Source Destination Target Description
> > >       Wi-Fi Nic
> > >      TCP  Wi-Fi Nic net  *
> > >       Port: 25 (SMTP)  50kbps Pipe  Mail Up-Stream Throttle
> > >
> > >
> > >
> > > I don't have a way to test if the mask is working as I don't have 
> > > two wireless clients I can use to connect.  I guess I could make 
> > > another traffic shapping rule for the LAN and test it that way 
> > > using a LAN computer and my laptop.  Does everything look good here?
> > >
> > > Also, I am thinking about blocking telnet and FTP access.  I don't 
> > > think the everyday user to my hotspot is going to need these 
> > > services.  Is there anything else I could be missing.  Because 
> > > this is public access, should anything be explicitly blocked or 
> > > should I leave it all open and hope for the best?
> > >
> > > Man, the captive portal rocks!.  I uploaded my own TOS agreement 
> > > and it looks great.
> > >
> > > Thanks for all your help guys.  I really appreciate it.  I love 
> > > this program!  Hopefully I can go "live" by tomorrow.
> > >
> > > Rodman
> > >
> > > ----- Original Message -----
> > > From: "James W. McKeand" <james at mckeand dot biz> 
> > > <mailto:james at mckeand dot biz>
> > > To: "'Rodman Frowert'" <frowertr at i dash 1 dot net> 
> > > <mailto:frowertr at i dash 1 dot net>
> > > Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>
> > > Sent: Tuesday, August 31, 2004 4:37 PM
> > > Subject: RE: [m0n0wall] Setting up HotSpot
> > >
> > >
> > >
> > >
> > > Make a rule for your Opt1 interface with source of Opt1 Subnet 
> > > (port
> > > any) and a destination not LAN Subnet (port any - for testing) 
> > > then restrict destination ports if want.
> > >
> > > _________________________________
> > > James W. McKeand
> > >
> > >
> > > -----Original Message-----
> > > From: Rodman Frowert [mailto:frowertr at i dash 1 dot net]
> > > Sent: Tuesday, August 31, 2004 5:17 PM
> > > To: Dana Spiegel; Kevin Coleman
> > > Cc: m0n0wall at lists dot m0n0 dot ch
> > > Subject: Re: [m0n0wall] Setting up HotSpot
> > >
> > > I went ahead and changed everything over like you guys suggested.
> > > My LAN
> > >
> > >
> > > is
> > >
> > >
> > > now on the LAN interface and my ADSL is now on the WAN interface 
> > > and my access point is now on the OPT1 interface.  Now the 
> > > configuration is as
> > > follows:
> > >
> > > WAN - IP is DHCP assigned by DSL provider LAN - IP is
> > > 192.168.1.1/24 OPT -
> > > IP is 10.10.10.1/24 and DHCP is enabled to give wireless clients 
> > > IP addresses in a range of 10.10.10.100 - 10.10.10.254
> > >
> > > But I can't get the OPT 1 interface working with my wireless laptop.
> > > I doesn't even give out an IP address when I turn the laptop 
> > > computer on
> > >
> > >
> > > (yes,
> > >
> > >
> > > it is configured to get an IP automatically).  I am guessing it is 
> > > because
> > >
> > >
> > > I
> > >
> > >
> > > needed to make a firewall rule,  but for the life of me I can't 
> > > figure out the right rule I guess.  All I need is the OPT 1 to 
> > > access the WAN and NOT the LAN.
> > >
> > > Any ideas or hints on what I am missing?
> > >
> > > Rodman
> > >
> > >
> > > From: "Dana Spiegel" <dana at sociableDESIGN dot com> 
> > > <mailto:dana at sociableDESIGN dot com>
> > > To: "Kevin Coleman" <kevin at gabu dot com> <mailto:kevin at gabu dot com>
> > >
> > > Cc: <m0n0wall at lists dot m0n0 dot ch> <mailto:m0n0wall at lists dot m0n0 dot ch>
> > >
> > > Sent: Tuesday, August 31, 2004 8:59 AM
> > > Subject: Re: [m0n0wall] Setting up HotSpot
> > >
> > >
> > >
> > >
> > > I would also rethink your rules below. Only allowing those ports 
> > > will make the hotspot very unusable.
> > >
> > > People put web servers on ports other than 80 and
> > > 443 People use IMAP
> > > People use SMTP (and NYCwireless has a totally unrestricted 
> > > network where we've never seen a spammer send out millions of spam 
> > > messages) People use S/POP and S/IMAP People use PPTP and IPSEC 
> > > vpns (this is a big one, especially since wireless hotspots are 
> > > inherently
> > > insecure) People use SSH (and SSH on ports other than 22) People 
> > > use other applications that make use of other ports
> > >
> > > Really your best bet is to put up the Captive Portal page, and set 
> > > up your network as Kevin recommends below.
> > >
> > > Dana Spiegel
> > > Director, NYCwireless
> > > dana at nycwireless dot net
> > > www.nycwireless.net
> > >
> > > <mailto:dana at sociableDESIGN dot com>
> > > <mailto:dana at sociableDESIGN dot com>
> > >
> > >
> > > Kevin Coleman wrote:
> > >
> > >
> > >
> > > I'd take out the Linksys, put your
> > > 192.169.1.0/24 network on the LAN
> > > interface, your DSL/cable modem on the WAN interface, and connect 
> > > your Wi-Fi AP to the DMZ interface.
> > >
> > > Then create a firewall rule that enables the DMZ to access the WAN.
> > > By default, LAN will be able to access the internet and DMZ will 
> > > not be able to access the LAN.
> > >
> > > (K)
> > >
> > > -----Original Message-----
> > > From: Rodman Frowert
> > > [mailto:frowertr at i dash 1 dot net]
> > > Sent: Monday, August 30, 2004 9:16 PM
> > > To: m0n0wall at lists dot m0n0 dot ch
> > > Subject: [m0n0wall] Setting up HotSpot
> > >
> > > Hello.  After many hours of labor, I finally got m0n0 running today.
> > > I guess it pays to make sure you actually have a NIC chipset 
> > > supported by FreeBSD...
> > >
> > > Anyway, I have a question or two about using m0n0 with a hotspot I 
> > > am installing in my business.  I have a LAN behind my Linksys Nat 
> > > router/switch with an IP/subnet range of 192.168.1.0/24.  Only 3 
> > > computers connected to the switch.  What I am wanting to do is 
> > > connect m0n0 right to the switch on my LAN (through m0n0 WAN 
> > > device).
> > > Then I want to connect my wireless AP to the m0n0 box.  The 
> > > problem is, I don't know if I should use the
> > > DMZ/OPT1 interface or the LAN
> > > interface.  I won't need anything connected to the LAN interface 
> > > on the m0n0 box so could I actually just connect the AP to the LAN 
> > > interface and my hotspot becomes "another lan" in effect?
> > >
> > > I then need to make sure m0n0 blocks all access to my actually 
> > > "real"
> > > wired
> > > lan since all I want the wireless clients to do is surf and not 
> > > sniff my network.  Would I simply need to setup a rule for the LAN 
> > > interface that would block all outgoing traffic that had a 
> > > destination of 192.168.1.0/24.
> > >
> > > Lastly, I need m0n0 to block access to everything the wireless 
> > > clients can do except pop3, http, and https.
> > > Would I simply add a
> > > set of allow rules to the LAN interface again something to the 
> > > idea of this:
> > >
> > > Proto    Source    Port       Destination
> > > Port
> > >
> > > TCP      LAN net   *           *
> > > 80  (HTTP)
> > > TCP      LAN net   *           *
> > > 110 (POP3)
> > > TCP      LAN net   *           *
> > > 443 (HTTPS)
> > >
> > > Then at the bottom of those 3 rules have one that blocks 
> > > EVERYTHING else?
> > >
> > > Thanks in advance for any help, guys!
> > >
> > > Rodman Frowert
> > >
> > >
> > >
> > > ------------------------------------------------------------------
> > > --
> > > -
> > > To unsubscribe, e-mail:
> > > m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail:
> > > m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > > ------------------------------------------------------------------
> > > --
> > > -
> > > To unsubscribe, e-mail:
> > > m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail:
> > > m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------------------
> > > --
> > > - To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > > ------------------------------------------------------------------
> > > --
> > > - To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------------------
> > > --
> > > - To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------------------
> > > --
> > > - To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> >
> >
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch