Dear list. My first gig is developing a Bering 1.2 firewall for a coffee house. I expect to be paid in food and soy lattes ;-)
Here is the situation: Coffee shop owner wants to support wireless for the customers. Owner has one or two business machines that need to be protected from the Internet -- and the wireless customers.
The architecture I thought might work well is: Internet ---- DSL ----- Bering 1.2 ---- internal net (business machines) | | DMZ | Wireless access point / | \ Customers
Are there any issues using a DMZ for the wireless segment?
Yeah, sort of. DMZ typically refers to a network designed to connect servers to the Internet. It gets protects with a firewall ruleset that allows incoming access only to a specified list of services, and outgoing access only as needed to provide those services.
For example, here I run my mail server on a DMZ interface. That interface has a ruleset that ACCEPTs only
-- incoming traffic on the SMTP and POP3 ports (and ssh, if from the LAN interface).
-- outgoing traffic to SMTP, DNS, NTP, and maybe a couple of other ports.
-- no SNAT, and DNAT only for the incoming ports needed above.
What you want for your wireless clients is quite different, pretty much a second LAN, not really a DMZ. It will probably be a different /24 network from the business network. It will be NAT'd for outgoing connections, and it may have some usage controls that enforce whatever Terms of Service the owner wants to provide service under. For example, he probably wants to do something to presvent being used by SPAMmers. He may want to limit the bandwidth that customers can use. He may want to distinguish customers from freeloaders ... or from laptops in cars parked outside his establishment. These are the usual issues with setting up wireless access anywhere more crowded than Gilligan's Island.
He may even want to impose things like time limits and time charges ... though I surmise that you and he are contemplating a free service, since that seems to be the trend, at least around here.
The main thing you always want to prevent is traffic going from the customer LAN to the business LAN. Easy to do with iptables ... though I don't offhand know the right entries for Shorewall, this is common enough that I bet Tom's docs have an example for it.
------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
