> What I want is to keep him isolated That's always a good plan with relatives :-)
Do you have a server running? That makes life very easy. Add a second network card to it. This will form your "untrusted" network. Set your machine to forward IP packets between interfaces (echo 1 > /proc/sys/net/ipv4/ip_forward), then start working on your firewall. I permit ports 80/tcp, 443/tcp, 53/udp, 53/tcp from the untrusted net. Lastly, set up a DHCP server to listen on the untrusted interface only. Give it a range that is not currently in use on your network. Now add a masquerade rule to the firewall, and you've got a (fairly) locked-down NATted network for your father-in-law to abuse to his heart's content. Very little will go in or out. If you want WiFi on that network, set up another WiFi router and connect one of its LAN ports to you untrusted interface. Don't connect the ADSL connection at all - it will bleat, but that doesn't matter. Make sure you turn off the DHCP server on that router if you're already running one on your server box. HTH Vic. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
