KCLUG.NET available

Jack quiet_celt at yahoo.com
Tue Feb 7 13:33:00 CST 2006 

--- David Nicol wrote:

> > > 2. I write software so I dunno networking,
> requesting
> > > help from the user group. I was invited to
> manage a very
> > > small network whose owner wants to make it
> available
> > > for web-browsing to anyone roaming the
> neighborhood via
> > > wireless. However, as best I know this gives
> access to
> > > the other computers on the network, and I'm
> curious to
> > > know if there is a way to expose a single
> computer to
> > > the world as a wireless server, without giving
> access to
> > > the rest of the network.
> >
> > Internet to 5-port switch
> > Switch  to Wireless AP and a NAT/Firewall device
> > NAT/Firewall to private network
> 
> as I see it the question is, is there a way to
> expose the one server,
> while still providing wireless for your other
> devices, using a single
> access point, and the answer is no.  He's going to
> need a second
> access point.  One AP for the public wireless and
> one for his
> unrestricted private.

I disagree. The way I see it he could build a
tri-homed firewall. Three NICs , One NIC is a wireless
on a private IP range, one NIC is assigned a different
IP range, and the third connects to the Internet. I
don't know enough about switches to analyze the first
answer, but it seemed reasonable, basically the same
as my solution - except the switch is the tri-homed
device. My solution has the added benefit of offering
some protection to the wireless device and also
prevents maliscious persons from using the wireless to
launch attacks. The downside is, if the tri-homed
device is compromised all is exposed. Another solution
here would be to have a gateway firewall machine, put
the wireless on the DMZ side of this firewall add a
DMZ firewall protecting the internal network from both
the wireless and the Internet. 

solution #2:

 Internet 
     |
+----------+
| Firewall |
+----------+
     |
     |      +----------+
     +------| Wireless |
     |      +----------+
     |
+----------+
| Firewall |
+----------+
     |
     |
+----------+
|   LAN    |
+----------+



solution #1:

 Internet 
     |
+----------+
| Firewall |
|----------|
| FW | FW  |
+----------+
   |    |
   |    |      +----------+
   |    +------| Wireless |
   |           +----------+
   |
+----------+
|   LAN    |
+----------+

Granted this configuration is an advanced firewall,
and the previous set up requires two different
firewalls. In all cases the first firewall is a
gateway firewall and the others are choke firewalls.
However it is doable without a second access point.
The first solution can be done with a single iptables
configuration.

Brian JD

More information about the Kclug mailing list