On Fri, 25 Apr 2003, R. Wayne McCorkle wrote: > The network address for each of the interfaces is shown above. Connections > to the access point are exclusivly MS Windows machines running XP. A file > server in the LAN runs Samba and a DHCP server (I plan to serve DHCP > address from the LAN, not the access point ... if possible).
You might be able to do DHCP on the firewall, but from within the LAN is likely to get sticky. > I understand that WEP is not optimal. My research indicates that IPSec > would be better. Any suggestions or pointers on setting up IPSec on > the new firewall? Or, is there someting prefereable to IPSec? Most places I've seen use the WEPed 802.11 traffic as nothing more than a transport layer. The actual traffic is all carried in IPSec tunnels between the mobile client and the VPN server (the firewall in your case). I think what I'd do in this situation (not having come up against it so far, but I will be soon, ironically enough) is to not route 192.168.2.0/24 anywhere except to the firewall. Enforce that with a rule which says that '-s 192.168.2.0/24 -d ! $FWAPIP -j REJECT', rather than just assuming it won't go anywhere anyway. Then, anyone who wants to get anywhere from their mobile machine must set up an IPSec tunnel into the firewall, which will be assigned different source addresses (192.168.3.0/24, say) which can be routed according to your security policy. > What can I use to autenticate the Windows services from Samba. It seems > to me that I am going to have a two step autentication process. First > step is authenticate access to the Access Point. Second step is granting > permission to utilize services shared by machines on the LAN (i.e. > Samba) If anything from 192.168.2.0/24 isn't allowed past the firewall, unauthed clients won't get anywhere. If you route 192.168.3.0/24 into the LAN, then I think that you should be naturally fine with your Windows shares (although browsing *might* not work; I get the unpleasant feeling you'd need to put a LMB in 192.168.3.0/24 somehow, or allocate your VPN addresses in a sub-block of 192.168.1.0/24 and do some transparent bridging). > Will I be able to access Samba services across the network boundary > from 192.168.1.x to 191.168.2.x? Not unless you've got a LMB in 192.168.2.0/24 which knows to talk to your DMB in 192.168.1.0/24. Whether you want anything from 192.168.2.0/24 to get anywhere near your internal network is another question entirely. > I realize these are not all Debian related questions. But I will be > running Debian on the firewall and this seemed like a good place to start. > Ideas and pointers to documentation/HowTos would be much appreciated. Well, for setting up IPSec I think there's a FreeS/WAN HOWTO around. Samba stuff is pretty well covered in the Samba HOWTO collection (on www.samba.org or your local mirror). Basic firewalling issues are in Rusty's Unreliable Guides (at www.netfilter.org) and more advanced routing stuff is in the Advanced Linux Routing and Traffic Control HOWTO (or some name like that). -- ----------------------------------------------------------------------- #include <disclaimer.h> Matthew Palmer, Geek In Residence http://ieee.uow.edu.au/~mjp16
