KCLUG.NET available

Kelsay, Brian - Kansas City, MO brian.kelsay at kcc.usda.gov
Tue Feb 7 13:41:55 CST 2006 

 For a preconfigured solution, see www.IPCop.org, current version is
1.4.10.  The Red is Internet, Green is local LAN, Orange is DMZ, Blue is
untrusted wireless.  You use DMZ pinholes to allow specific hosts or a
range of hosts to have direct connection from one net to another.  E.g.
allow specific IP address access to server on Orange (DMZ) so that your
laptop can admin the server.  Blue (wireless), by default has access to
the internet, but you may want to add nocatauth to allow you to add an
acceptable useage notice to users.



-----Original Message-----
From:  On Behalf Of Jack Dinsmore
Sent: Tuesday, February 07, 2006 1:33 PM
To: kclug at kclug.org
Subject: Re: KCLUG.NET available


I disagree. The way I see it he could build a
tri-homed firewall. Three NICs , One NIC is a wireless
on a private IP range, one NIC is assigned a different
IP range, and the third connects to the Internet. I
don't know enough about switches to analyze the first
answer, but it seemed reasonable, basically the same
as my solution - except the switch is the tri-homed
device. My solution has the added benefit of offering
some protection to the wireless device and also
prevents maliscious persons from using the wireless to
launch attacks. The downside is, if the tri-homed
device is compromised all is exposed. Another solution
here would be to have a gateway firewall machine, put
the wireless on the DMZ side of this firewall add a
DMZ firewall protecting the internal network from both
the wireless and the Internet. 

solution #2:

 Internet 
     |
+----------+
| Firewall |
+----------+
     |
     |      +----------+
     +------| Wireless |
     |      +----------+
     |
+----------+
| Firewall |
+----------+
     |
     |
+----------+
|   LAN    |
+----------+



solution #1:

 Internet 
     |
+----------+
| Firewall |
|----------|
| FW | FW  |
+----------+
   |    |
   |    |      +----------+
   |    +------| Wireless |
   |           +----------+
   |
+----------+
|   LAN    |
+----------+

Granted this configuration is an advanced firewall,
and the previous set up requires two different
firewalls. In all cases the first firewall is a
gateway firewall and the others are choke firewalls.
However it is doable without a second access point.
The first solution can be done with a single iptables
configuration.

Brian JD

More information about the Kclug mailing list