Xavier, If I had to do what you are talking about, I would implement the solution as follows:
Firewall - eth0 => WAN/ADSL Modem Firewall - eth1 => Wireless Router/AP - the router set up to provide DHCP - Linksys/Dlink etc all do this. Firewall - eth2 => LAN/ Internal secure users for Wireless. Have this be the one where MNF provides the DHCP services. Also on your internal Wireless set up security including WEP or other encryption. This will keep all your free-riders from accessing any resources on the LAN while still getting access via a different interface to the WAN. My 2 cents. Vinay. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Xavier Alvarez Sent: Tuesday, February 22, 2005 11:54 AM To: [email protected] Subject: [Security Firewall] Re: MNF and DHCP customization No takers on this? Not even a "please explain further" comment? Am I missing something too obvious? A bit lost, Xavier On Wed, 9 Feb 2005 12:26:24 +0100, Xavier Alvarez <[EMAIL PROTECTED]> wrote: > Hi people! > > I have a (newbie) question regarding DHCP in MNF. > > My network configuration is rather default, without DMZ: > > Firewall - eth0 => WAN | ADSL modem > Firewall - eth1 => (none yet) > Firewall - eth2 => LAN | switch > > The ADSL modem has a built-in firewall in default configuration and > runs a DHCP server for the 10.0.0.0/8 network, where there are only > two IPs used statically (the ADSL and the Firewall) allowing the > patching of a machine outside the MNF. > > The problem is that on the LAN I have wireless APs and some free > riders... I don't care too much about them using the WAN, but I do > care about them snooping my LAN. Also, I don't want to completely > lock the WiFi, since I have incomming roaming laptops that would need > to access the WAN with the least configuration possible. > > What I was thinking (have no clue about its feasibility though) was to > put the wireless APs on eth1. And activate the DHCP on that > interface. First problem, MNFs DHCP can only be set on only one > interface... and want to keep it on eht2. > > The second step in this grand plan-scheme, and if I read the DHCP > stuff correctly is to configure two distinct networks on that > interface. One, say 192.168.0.0/24, with my trusted wireless machines > (based on their MACs) and another (172.16.0.0/12) for the unknowns. > > This splitting would allow me to create specific rules allowing > traffic to my wired network only from trusted wireless, while allowing > untrusted wireless to surf the web without access to my wired network. > > The rationale (security-wise) is that if a free-rider bumps onto my > wireless network, the DHCP will give a non-trusted IP to it and the > firewall will block out my LAN to it. A would-be hacker-snooper, > would probably think that the AP was left on by mistake and since he > has access to the web, will not spend too much time trying to find my > wired network. But if a trusted MAC does bump in, it'll be able to > communicate with the wired network. > > So my question is: can this be done? within MNF or it'll break it? > Hints or ideas on how? > > Cheers, > Xavier >
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
