On Wed, 15 May 2002 06:28:45 PDT Eric House wrote:
> > This is probably obvious, but... > > Be careful; unless you take further precautions, the policies above > > will allow anyone with a wireless card nearby (or not-so-nearby with > > a wireless card and an antenna) full access to the network hanging > > off eth1. > > So dmz-style rules make sense for the wireless net, don't they? Probably so. Another approach, if you're concerned about who uses or who can snoop on the wireless net, would be to use IPSec on the wireless net and define separate access policies for authenticated wireless clients on the VPN and non-authenticated wireless clients. > Though I may eventually put a web server on the net (the wlan isn't > the logical place for it but for its being dmz-like), the wlan will > mostly be used for internet access. It probably makes sense to comment out the "dmz" zone, policy, interface and rules for now and add in your own "wlan" zone. That way there's now confusion if you decide to add a DMZ later. As you said, the setup for the WLAN zone will probably look a lot like the example "dmz" zone. > But I expect I'll occasionally > want to connect from the wlan to machines on loc, e.g. to kill an XF86 > server when it crashes. Your setup sounds very similar to mine. From my WLAN I allow DNS requests to the firewall and ssh and https access to selected hosts on my private network. From the WLAN to the 'net, I allow HTTP, HTTPs, SSH, FTP, whois and maybe one or two other protocols. Eventually, I will setup IPSec for access from the WLAN to the private net, but even now my exposure is fairly limited. > Perhaps the best approach is to start with the default dmz rules, then > punch specific holes through the firewall allowing ssh and ping between > dmz and loc? Sounds like a plan. I'm guessing you will probably want to add rules to allow HTTP, HTTPS and FTP from the wireless network to the Internet too. --Brad > Thanks! > > --Eric ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
