On Tue, 2006-06-06 at 11:53 -0800, Shane R. Spencer wrote:
> On Tue, 2006-06-06 at 11:46 -0800, Damien Hull wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Shane R. Spencer wrote:
> > > Yo..
> > >
> > > So, I operate a few hotspots and am having some wonderful issues with
> > > some very hostile customers staying at a hotel we provide wireless
> > > Internet access for. It is free and we have public IP's for all
> > > wireless clients staying at the hotel, which I am starting to think was
> > > a stupid idea, however older VPN implementations almost required it in
> > > order to keep support requests to a minimal.
> > >
> > > I am hoping to block all but pop/imap/smtp(filtered via
> > > clamsmtp)/http(transparent squid)/VPN's and drop everything else. I
> > > found a few helpful links including this one:
> > >
> > > http://www.enterprisenetworkingplanet.com/netsysm/article.php/2168251
> > >
> > > At this point I just need a little advice on the do's and dont's of this
> > > kind of situation.
> > >
> > > Should I block *all* traffic ingress forwarded traffic if I don't want
> > > folks hosting web servers during their long stay at the hotel, not to
> > > mention p2p traffic.
> > >
> > > Should I block all egress high ports 1024:65535 unless they are somehow
> > > related to traffic, which I am unsure of how that works.
> > >
> > > Shane
> > >
> > > ---------
> > > To unsubscribe, send email to <aklug-request@aklug.org>
> > > with 'unsubscribe' in the message body.
> > >
> > >
> > >
> > Can you switch to privet IP space?
> >
> > Most laptop users will be running Windows XP. Lets keep it simple and
> > say they use PPTP for the VPN connection. That's port 1723. Just setup a
> > network with privet IP space and allow port 1723 access.
> >
> > Got the XP info from this website.
> > http://wireless.gumph.org/content/6/4/014-howto-xp-pptp-vpn-testing.html
> >
> >
> > - --
> > You can get my public PGP key at https://keyserver.pgp.com
> >
> > Digital Overload
> > http://www.digitaloverload.net
> >
> > Keep your data safe by doing regular backups. At Digital Overload we use
> > a combination of DVD and hard drive backups. For off site storage we use
> > a safe-deposit box at the bank. All backups are encrypted.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.7 (GNU/Linux)
> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> >
> > iD8DBQFEhduh+rNhalK/8UURAv2WAJ91pqgQ8oayrE8fhaZYcQ7ZwNxZHACfVOWj
> > 0hkYyfyv8oYRhmhhLcM5qVM=
> > =ixkQ
> > -----END PGP SIGNATURE-----
>
> Thats been in the front of my mind.. I should just switch to private
> IP's. Offering public IP's has been a difficult task since inbound
> becomes a problem, I could test for problems by enabling NAT with it how
> it is now and see how many things break for the long-staying customers
> at the hotel before I switch around everything. As soon as I switch to
> private IP's 50 people will call the front desk saying their wireless
> signal is weak (which obviously isn't the problem) - trying to avoid a
> mass headache.
>
> Thanks
Also, I can't forward my gateways IP port 1723 to 50+ private IP's
individually, thats why they are on private IP's to begin with. More
than anything I just need to know the right and wrong to what can be
filtered outbound and things to concider for inbound. I have a good
list going already on things I need, I would like to understand (which I
will be testing) related and established connection tracking to see how
well that works for certain protos.
I hope to just enable VPN, HTTP(S), MAIL*, SSH, FTP. And block common
ports like 8080/3128/P2P including use of IPP2P to block P2P traffic
overall.
I will just have to implement this at home for a while and see how
things work, my manager who has no real experience doing these sort of
things just wants me to do it and have it be 100% correct so he can call
the client and tell them what a good boy he is today, which is annoying
me greatly considering my other tasks that other people need done.
Anybody have job leads in weird places I haven't thought to look?
Oh well.
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Jun 6 12:00:17 2006
This archive was generated by hypermail 2.1.8 : Tue Jun 06 2006 - 12:00:17 AKDT