Re: [Hampshire] Networking for Dummies
The untrusted box is behind the ADSL router only, so has exactly the same protection as it currently has And that is the problem. It is an ineffective solution with several additional problems. It is not something I could recommend. As for the hassle of reconfiguring on the current network, I was assuming that the network re-jig would require that anyway. No. Adding a second network really only means installing one card, and you can pick them up for next to nothing. You then run one cable to either the untrusted box, or to a switch/bridge/router of your choice. The only clever bit is remembering to use a crossover cable if you're doing direct PC-to-PC connections without auto-MDIX. Well there are technically better solutions, but it will work. Actually, I don't consider that to be working. Your solution provides Internet traffic to the untrusted box, but doesn't do much besides. Vic. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
** Rob Malpass li...@getiton.myzen.co.uk [2011-05-07 09:50]: Moving house shortly which means, for the first time, I have to have my father in law on my network. Now while he's no hacker, he is fond of fiddling and has managed to crash his (Windows) machine so badly over the years that nothing short of a full reinstall has fixed it. His fiddling ranges from downloading patches for stuff he's never thought of using, to coverdisks with offers of games if you include enough adware that checks for updates every time it starts up. I'm sure you get the picture! So he's now going to be part of my LAN. Previously, we have had the luxury of two broadband connections: one cable, one ADSL and I had thought of putting him on a separate router and let that be that. At the new place though, while there are two lines, it seems pointless to pay for another ADSL connection just to keep him isolated. What I want is to keep him isolated so he can't even see any network devices, printers - just let him share the connection. I'm thinking: 1) He runs Kapersky so presumably I could tweak this to allow him only access to IP addresses with outbound traffic outside my LAN's range. 2) Setup some sort of rule on the router - not sure how to do this. 3) IPCop is probably the most detailed solution -but again not sure. Is there an obvious solution out there. I don't want to buy netnanny or something like that for him - far too obvious and condescending but I am really worried. I don't want to software firewall the rest of the family's machines so tightly that they become restricted. ** end quote [Rob Malpass] I'm a little late to this thread, I've been fixing shelves and re-arranging my office all weekend after some shelving decided to start pulling away from the wall with all the computer books and software on them! That's beside the point though. On the basis that your ADSL connection is likely to have several ethernet ports built in I would suggest the simplest thing to do would be to connect the machine into the ADSL router directly and use a fairly standard cable router to connect the rest of the machines behind that. If you connect the 'internet' side to the ADSL router you effectively put anything connected directly to the ADSL router into a sort of DMZ (sort of since it is still firewalled as normal, so not really a proper DMZ) with a separate IP address range that is firewalled off from the rest of the network by the cable router. Cable routers are pretty reasonably priced, or if you are lucky you may pick one up off Freecycle / Freegle (I nabbed a D-Link wireless N unit a while back which has improved my coverage!). Of course if you're not happy using an off the shelf firewall router you're probably not just relying on the ADSL router and have a PC configured you can add an extra NIC to and adjust the routing rules - as already suggested I think. -- Paul Tansom | Aptanet Ltd. | http://www.aptanet.com/ | 023 9238 0001 == Registered in England | Company No: 4905028 | Registered Office: Crawford House, Hambledon Road, Denmead, Waterlooville, Hants, PO7 6NU -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
If you connect the 'internet' side to the ADSL router you effectively put anything connected directly to the ADSL router into a sort of DMZ (sort of since it is still firewalled as normal, so not really a proper DMZ) with a separate IP address range that is firewalled off from the rest of the network by the cable router. Errr - I'm not so sure about that. What is behind the cable router has the usual NAT blackhole, but what is hanging off the ADSL router is entirely unprotected from what is behind the cable router. So if the untrusted box is the one behind the cable router, all the trusted boxes are still subject to attack from the problem box. And that box has essentially unfettered Internet access, so it has no protection from PEBKAC either. You could, of course, have it the other way round - but that means reconfiguring everything currently on the network, means that those boxes will have to deal with double-NAT (which may or may not be a problem), and still offers no firewall filtering for the hostile box. So I don't think I agree with you... Vic. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
Eclipse used to do multiple IP addresses, I don't know if your ISP does. If so, you could do this with 3 devices: ADSL router and 2x ethernet routers, then you set up 2x standard NAT one on each IP address. That'll safely separate the networks. Benjie. On 9 May 2011 16:43, Vic l...@beer.org.uk wrote: If you connect the 'internet' side to the ADSL router you effectively put anything connected directly to the ADSL router into a sort of DMZ (sort of since it is still firewalled as normal, so not really a proper DMZ) with a separate IP address range that is firewalled off from the rest of the network by the cable router. Errr - I'm not so sure about that. What is behind the cable router has the usual NAT blackhole, but what is hanging off the ADSL router is entirely unprotected from what is behind the cable router. So if the untrusted box is the one behind the cable router, all the trusted boxes are still subject to attack from the problem box. And that box has essentially unfettered Internet access, so it has no protection from PEBKAC either. You could, of course, have it the other way round - but that means reconfiguring everything currently on the network, means that those boxes will have to deal with double-NAT (which may or may not be a problem), and still offers no firewall filtering for the hostile box. So I don't think I agree with you... Vic. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk -- -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
** Vic l...@beer.org.uk [2011-05-09 16:44]: If you connect the 'internet' side to the ADSL router you effectively put anything connected directly to the ADSL router into a sort of DMZ (sort of since it is still firewalled as normal, so not really a proper DMZ) with a separate IP address range that is firewalled off from the rest of the network by the cable router. Errr - I'm not so sure about that. Well it may not be the most technically elegant solution, but it would work quite happily. What is behind the cable router has the usual NAT blackhole, but what is hanging off the ADSL router is entirely unprotected from what is behind the cable router. So if the untrusted box is the one behind the cable router, all the trusted boxes are still subject to attack from the problem box. And that box has essentially unfettered Internet access, so it has no protection from PEBKAC either. You could, of course, have it the other way round - but that means reconfiguring everything currently on the network, means that those boxes will have to deal with double-NAT (which may or may not be a problem), and still offers no firewall filtering for the hostile box. The untrusted box is behind the ADSL router only, so has exactly the same protection as it currently has [1]. You then treat this internal network as if it was the internet and put another cable router in between the rest of the clients and the ADSL router. It is double-NAT, but I've run with that for a few years in the past when I didn't fully trust the ADSL router I had (and it lacked some features I needed too) and used a Smoothwall / IPCop box behind it. I have also worked with customers who have had double-NAT'd networks because their ISP provides a private network to their ADSL line and then uses it's own firewalls and proxies to give them access to the internet proper. Cable routers have exactly the same firewall / routing features as their ADSL siblings, so there is the same protection for this new network from the untrusted box as there would be from any machine on the internet. The main issues would be if the untrusted box needed access to one of the other machines for a network share or printer (which I am assuming not), or if the problem it had consumed masses of bandwidth (in which case you'd want to get it sorted quickly anyway!). As for the hassle of reconfiguring on the current network, I was assuming that the network re-jig would require that anyway. For a small network it isn't that much hassle to re-address machines, particularly if you are using DHCP (and local DNS if needed), but if you use the existing private addresses and give the new address structure to the untrusted box then there's little or nothing to change. iirc they were on separate ADSL lines before, so could easily be using different private addresses anyway. So I don't think I agree with you... Well there are technically better solutions, but it will work. Actually one solution that would work very nicely is a particular model of USR ADSL modem I worked with once. That had two separate ethernet interfaces that could run two totally separate networks off the same ADSL line, with as much or as little interaction as youn configured. You could also create this setup using a custom PC with twin NICs and a PCI ADSL card. ** end quote [Vic] [1] I'm making the assumption here that the standard setup is simply to have clients directly behind the ADSL router as used by the majority of default ISP configurations these days. -- Paul Tansom | Aptanet Ltd. | http://www.aptanet.com/ | 023 9238 0001 == Registered in England | Company No: 4905028 | Registered Office: Crawford House, Hambledon Road, Denmead, Waterlooville, Hants, PO7 6NU -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
-Original Message- From: hampshire-boun...@mailman.lug.org.uk [mailto:hampshire- boun...@mailman.lug.org.uk] On Behalf Of Andy Smith Sent: 07 May 2011 09:57 To: hampshire@mailman.lug.org.uk Subject: Re: [Hampshire] Networking for Dummies More info needed. How will his computer(s) connect to your LAN? Direct connection to a switch? WiFi? Sorry - there has already been quite a few excellent responses on this but... He's running one W7 machine and will be connected via cable to a hub. Sounds like ipcop or something similar is the way to go - though I must admit I'm sorely tempted to get a cheap ISP and put it down our second phone line just for him - definitely the most expedient route! Will look in more detail at all the other replies later - many thanks everyone. Rob -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
Hi Rob, On Sun, May 08, 2011 at 10:08:41AM +0100, Rob Malpass wrote: He's running one W7 machine and will be connected via cable to a hub. Sounds like ipcop or something similar is the way to go - though I must admit I'm sorely tempted to get a cheap ISP and put it down our second phone line just for him - definitely the most expedient route! Will it be though? If he destroys his computers then who has to repair them? Also once there's malware inside your network, this can cause problems. I agree with Vic's suggestions; if you have a firewall box for your own network then it should be easy to run him though this on an additional interface as well. If you don't like having two different subnets then you can make the Linux box act more like a switch (bridge the interfaces) yet still be able to firewall it. Not sure what the support for that is like in IPCop. As you say, host firewalls on everything (even just his machines) is a non-starter: too much effort to administer and risks some malware disabling it, Cheers, Andy -- http://bitfolk.com/ -- No-nonsense VPS hosting I'd be happy to buy all variations of sex to ensure I got what I wanted. -- Gary Coates (talking about cabling) signature.asc Description: Digital signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
[Hampshire] Networking for Dummies
Hi all Moving house shortly which means, for the first time, I have to have my father in law on my network. Now while he's no hacker, he is fond of fiddling and has managed to crash his (Windows) machine so badly over the years that nothing short of a full reinstall has fixed it. His fiddling ranges from downloading patches for stuff he's never thought of using, to coverdisks with offers of games if you include enough adware that checks for updates every time it starts up. I'm sure you get the picture! So he's now going to be part of my LAN. Previously, we have had the luxury of two broadband connections: one cable, one ADSL and I had thought of putting him on a separate router and let that be that. At the new place though, while there are two lines, it seems pointless to pay for another ADSL connection just to keep him isolated. What I want is to keep him isolated so he can't even see any network devices, printers - just let him share the connection. I'm thinking: 1) He runs Kapersky so presumably I could tweak this to allow him only access to IP addresses with outbound traffic outside my LAN's range. 2) Setup some sort of rule on the router - not sure how to do this. 3) IPCop is probably the most detailed solution -but again not sure. Is there an obvious solution out there. I don't want to buy netnanny or something like that for him - far too obvious and condescending but I am really worried. I don't want to software firewall the rest of the family's machines so tightly that they become restricted. Cheers Rob -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
Hi Rob, On Sat, May 07, 2011 at 09:49:29AM +0100, Rob Malpass wrote: What I want is to keep him isolated so he can't even see any network devices, printers - just let him share the connection. More info needed. How will his computer(s) connect to your LAN? Direct connection to a switch? WiFi? Cheers, Andy -- http://bitfolk.com/ -- No-nonsense VPS hosting signature.asc Description: Digital signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
What I want is to keep him isolated That's always a good plan with relatives :-) Do you have a server running? That makes life very easy. Add a second network card to it. This will form your untrusted network. Set your machine to forward IP packets between interfaces (echo 1 /proc/sys/net/ipv4/ip_forward), then start working on your firewall. I permit ports 80/tcp, 443/tcp, 53/udp, 53/tcp from the untrusted net. Lastly, set up a DHCP server to listen on the untrusted interface only. Give it a range that is not currently in use on your network. Now add a masquerade rule to the firewall, and you've got a (fairly) locked-down NATted network for your father-in-law to abuse to his heart's content. Very little will go in or out. If you want WiFi on that network, set up another WiFi router and connect one of its LAN ports to you untrusted interface. Don't connect the ADSL connection at all - it will bleat, but that doesn't matter. Make sure you turn off the DHCP server on that router if you're already running one on your server box. HTH Vic. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
On 07/05/2011 09:59, Vic wrote: What I want is to keep him isolated That's always a good plan with relatives :-) Do you have a server running? That makes life very easy. If you want WiFi on that network, set up another WiFi router and connect one of its LAN ports to you untrusted interface. Don't connect the ADSL connection at all - it will bleat, but that doesn't matter. Make sure you turn off the DHCP server on that router if you're already running one on your server box. Yes - I use shorewall cos I am lazy :-) Its a very easy to use iptables config tool. With shorewall you define zones and interfaces then rules limiting traffic between the zones. Masqerade on the internet connection(s) and you are sorted. If you need an example shorewall config give me a shout :-) Final suggestions * configure a seperate bind server with many of the flakey ad/spam/infection servers mastered. (for instance .ru is mastered here) * provide your dads machine with a fixed IP via dhcpd map his mac address to a fixed IP. * ensure dhcpd tells dads box to use the above DNS server! * block outbound smtp from the untrusted network * add quotas/rate limits to the untrusted network Jacqui -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
If you have a relatively powerful spare PC, use pfSense. This has AV proxy, Snort w/ ET THREATS standard rules (VPS if you pay snort for them). It also supports a wealth of other things not found in SOHO routers, or router distros. You can easily firewall, segregate, bridge or whatever into his own little portion of the network. Protect his PC w/ snort and squid w/ clamav etc. Best of all, its free! http://www.pfsense.org On Saturday 07 May 2011 09:49:29 Rob Malpass wrote: Hi all Moving house shortly which means, for the first time, I have to have my father in law on my network. Now while he's no hacker, he is fond of fiddling and has managed to crash his (Windows) machine so badly over the years that nothing short of a full reinstall has fixed it. His fiddling ranges from downloading patches for stuff he's never thought of using, to coverdisks with offers of games if you include enough adware that checks for updates every time it starts up. I'm sure you get the picture! So he's now going to be part of my LAN. Previously, we have had the luxury of two broadband connections: one cable, one ADSL and I had thought of putting him on a separate router and let that be that. At the new place though, while there are two lines, it seems pointless to pay for another ADSL connection just to keep him isolated. What I want is to keep him isolated so he can't even see any network devices, printers - just let him share the connection. I'm thinking: 1) He runs Kapersky so presumably I could tweak this to allow him only access to IP addresses with outbound traffic outside my LAN's range. 2) Setup some sort of rule on the router - not sure how to do this. 3) IPCop is probably the most detailed solution -but again not sure. Is there an obvious solution out there. I don't want to buy netnanny or something like that for him - far too obvious and condescending but I am really worried. I don't want to software firewall the rest of the family's machines so tightly that they become restricted. Cheers Rob -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Networking for Dummies
On Saturday 07 May 2011 12:41:55 Ian Grody wrote: If you have a relatively powerful spare PC, use pfSense. By this, I use a P3 533MHz w/ runs snort and av proxy fine. This box handles 34 users at any one time too! :-) This has AV proxy, Snort w/ ET THREATS standard rules (VPS if you pay snort for them). It also supports a wealth of other things not found in SOHO routers, or router distros. You can easily firewall, segregate, bridge or whatever into his own little portion of the network. Protect his PC w/ snort and squid w/ clamav etc. Best of all, its free! http://www.pfsense.org On Saturday 07 May 2011 09:49:29 Rob Malpass wrote: Hi all Moving house shortly which means, for the first time, I have to have my father in law on my network. Now while he's no hacker, he is fond of fiddling and has managed to crash his (Windows) machine so badly over the years that nothing short of a full reinstall has fixed it. His fiddling ranges from downloading patches for stuff he's never thought of using, to coverdisks with offers of games if you include enough adware that checks for updates every time it starts up. I'm sure you get the picture! So he's now going to be part of my LAN. Previously, we have had the luxury of two broadband connections: one cable, one ADSL and I had thought of putting him on a separate router and let that be that. At the new place though, while there are two lines, it seems pointless to pay for another ADSL connection just to keep him isolated. What I want is to keep him isolated so he can't even see any network devices, printers - just let him share the connection. I'm thinking: 1) He runs Kapersky so presumably I could tweak this to allow him only access to IP addresses with outbound traffic outside my LAN's range. 2) Setup some sort of rule on the router - not sure how to do this. 3) IPCop is probably the most detailed solution -but again not sure. Is there an obvious solution out there. I don't want to buy netnanny or something like that for him - far too obvious and condescending but I am really worried. I don't want to software firewall the rest of the family's machines so tightly that they become restricted. Cheers Rob -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk -- -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --