Firewalling......

Hi All,

I am wanting to implement a suitable firewall between my
internal LAN, my Wireless AP and the Internet (Nokia MW1122 - Jetstart).

I have looked at the usual packages such as IPCop, Smoothwall etc and
although they do the basics very well, I have some specific requirements.

I am not a Linux guru by any means and although I am aware that my requirements
could be sorted with a linux soln, I have no skill in being able to set one up.

Anyway here is what I need the most:

Firewall with 3 interfaces, INet, Lan, Wireless (standard stuff)
Lan to have access to Wireless but not visaversa.

Authentication onto the firewall from the Wireless interface via web page,
and ability to modify that Auth page to my own liking. (Transparent Proxy?, NoCatAuth?)

Dynamic Traffic shaping from LAN/Wireless to internet with ability to set rules regarding max
kb/s per user (say use 3kB/s or use max bandwidth but if someone else
with higher priviledge comes along then limit to 3kB/s) (Zebra?)
I want to let people leech my Jetstart but not affect my performance when I am using it.

Any idea where to start?? I have a boxen with RH9 on it that I can play with if that helps.........

__________________
Steve M
Bigted
Cute, Furry and Cuddly

This is the same setup that i have, the M1122 is a NAT firewall already so i just use ipcop to firewall of the wireless side from my network. New version of IPCOP which you can download in beta now also has a blue interface which is for wireless use.

I'd use Star-OS or you could use a Linux box.

I don't know if NoCAT Auth is on Star-OS though.

Sorry to drag this thread up but you might want to check out m0n0wall, it's made by dick morrell, one of the smoothwall founders.. it's based on bsd as apposed to linux and is designed primarily to run embedded

Of course you could do this with smoothwall by plonking your wireless gear onto the DMZ...

as for your limiting requirements you can easily add qos ability for both incoming and outgoing traffic on smoothwall.. the advantage here is that IPcop, being a direct ripoff of smoothwall can usually share hacks (so some ipcop hacks will work on smoothie and vice versa)

I know Fitzy has the exact same setup. For his web interface log on he has found a website in the USA that you can sign up to and when new users come online they get redirected to this page. They sign up there with a valid email and their MAC. An email is sent to the owner and he can approve and disallow them. Next time they log into your box they enter their email for access. He also does traffic shaping for each client. As for the firewall i believe he uses a script and iptables to achieve it.

I would suggest dropping him an email.

I also know of another who is using the beta of ipcop to allow wireless clients into and out of his ADSL gateway. It seems to be configurable enough, it is based on MAC.

wookie.

Thanks for the latest comments, all.

I, too, have moved to IPCop 1.4b3 for firewalling, etc.

I have replaced (at the moment) my MW1122 with a USB Dynalink DSL modem
which I am able to connect directly to the IPcop boxen. This stops the "
double NAT'ing" that used to occur with the MW1122. I now have my public
IP address hitting my IPCop boxen instead of an internal IP address from the
Nokia. IPCop 1.4b3 now supports traffic shaping by port. It does not support
by subnet/IP address, which is also what I would like. As mentioned above
1.4 supports a blue interface for Wireless (Also Green - internal, red- Internet,
Orange - DMZ).

I currently have my AP on Orange (which allows access to my FTP server).


So- IPCop has a wee way to go yet before it does what I want, and to be
honest I do not think they would want to include any sort of authentication
in it at the moment, so I am still looking at other options.

Fitzy's one for authentication sounds interesting.

At the mo' I have no problem with free access to the AP. What I would like to do is provide a
"home page" which gives a brief intro about the AP and what services are available (e.g FTP server is 10.23.22.xx)
It will enable the user to do more than just getting internet access.

__________________
Steve M
Bigted
Cute, Furry and Cuddly

What adsl modem is it? I got a ALE070

http://www.dynalink.co.nz/products/a...<br /> <br />

ThaBass,
Yes it is the ALE070.
Took me forever to get it going properly, but IPCop supports most
ECI based USB modems "out of the box". My struggle is your gain!

Proceedure:
Get ISO of IPCop 1.4b3 (36 Megs)
http://prdownloads.sourceforge.net/ipcop/i...cop-1.4.0b3.iso

Get suitable PC box (I'll leve the specs up to you)

Install IPCop. Once up and running on the Green interface, Choose the
Config to be Red on Modem, then Green and Blue and/or Orange.

There is an upload page in the web gui for installing the ECI sync.bin file
for the Dynalink. This file varies from modem to modem, and it was the
selection of this file that caused me the greatest problem as there are 30+
versions to choose from. Every test of a file required a reboot so was a
really painfull process. ANYWAY, the synch.bin file I ended up using is number
synch05.bin. Synch03.bin only partially works for some strange reason
and this got me confused for some time. (seems synch01 works as well, YMMV)

The sync file you need is
http://eciadsl.flashtux.org/download/eciad...nch_bin.tar.bz2

Once the bin file is loaded you can setup the usual details in the dialup properties page.
It's mostly self explanatory.

Interface: ECI USB ADSL
Connection: Retries 10, Timeout 0 (0=disabled), Connect on restart - Tick
Reconnection - Persistant (This is the way I wanted to do it- I run servers)

ADSL Settings
VPI 0, VCI 100, Modem Dynalink ALE070, Protocol RFC2364 PPPoA,
Encapsulation VCMux

Authentication Your usual username and password (I'm not telling you mine!)

DHCP Automatic - No DNS servers added.

Shut down, connect modem to USB port and reboot.
The link light should start blinking and then set hard on, if all is OK.


Traffic shaping works well (Was broken in a previous beta)
I have ports 80 and 443 set to high priorty
Ports 25 and 110 on Medium
Port 119 on low.

Hope this is of help. Good luck.

[/url]

__________________
Steve M
Bigted
Cute, Furry and Cuddly

As a followup:

I discovered that Fitzy is using a service provided by Publicip.net
"A hotspot on a CD" See www.publicip.net for further info.

Uses NoCat Auth for User Authentication
DansGuardian for content filtering

The Wireless gateway also has:

o Dynamic Routing/Firewall
o Proxy Server
o DNS Caching
o DHCP Server
o Web Server


I downloaded the CD and have an old Compaq box running the
software now.
Seems to do the trick. Only downside is that I have ANOTHER box
on the network! It would be nice to get all of this functionality in one
"applicance" :P

__________________
Steve M
Bigted
Cute, Furry and Cuddly