Free internet at my house!
mark at purcell.homeip.net
Wed Jun 12 20:56:55 EST 2002
On Wed, Jun 12, 2002 at 06:50:15PM +1000, Michael Still wrote:
> I have wireless. It is bridged to my wired network on the firewall
> machine, using the kernel ethernet bridging. It looks something like:
Same setup here, although I don't use 802.11 host mode or bridge.
> The bridge between br0 and eth0 currently pushes all traffic -- which is
> obviously not a good thing.
Don't bridge, as the wireless leg is an untrusted network. Setup another
subnet for your wireless net (eth2) and only route what you want
too and from it..
> - I would still like to use DHCP for ip addresses on wireless machines
> (denial of service on the IP address range doesn't bother me much)
Do you really need the DHCP thing on the wireless? I have mine setup with
static route and IP addresses, which is fine as I only have a couple
of wireless hosts. Means that I'm not setting up everything for the
potential drive-by surfer.
> - Yay crypto on the wireless stuff (ipsec?)
By not bridging you can setup ipsec for the two end of your wireless link,
which will secure your wireless traffic, but I believe you can also setup
the ipsec side on your router to only accept connections from hosts
whoose keys are known. That will stop anyone from drive-by surfing..
> - It needs to work with linux, and win2k
Don't know about ipsec and w2k, but I presume it must be there somewhere...
> - I'm most concerned with people yoinking ADSL bandwidth than protecting
> my internal network, which is fairly secure...
The other suggestion is don't ipforward/NAT from the wireless net, if
you can get away with it just setup a number of proxy applications
like socks on the firewall and unless they authenticate to the proxy
first they don't get out. Or only allow your wireless net to talk to
your wireline net and then use application proxies (web proxy et al)
to control access??
That's what I do here..
More information about the linux