Advice wanted regarding setting up WiFi
David Wolfskill
david at catwhisker.org
Thu Apr 1 07:06:57 PST 2004
>Date: Wed, 31 Mar 2004 15:54:40 -0800
>From: bill at wards.net (William R Ward)
>To: baylisa at baylisa.org
>Subject: Advice wanted regarding setting up WiFi
>Sender: owner-baylisa at baylisa.org
>The question is, what's the best way to hook up the base station? I'm
>nervous about plugging it into our existing hub (behind the firewall)
>because then, anyone in the neighborhood with a WiFi-enabled computer
>can get online through our connection. That means they could use our
>bandwidth, hack into our machines, or even send spam through our
>network. Not that I think that's likely, but I'm paranoid.
>So I see two options:
> 1) Add a new firewall box between the cable modem and the WiFi
>station, and then our existing firewall between that and the wired
>computers.
> 2) Add a second ethernet port to our Linux server and connect the
>WiFi to that, and use Linux's built-in firewall to control access.
I did something vaguely similar: I added a 3rd NIC to my firewall box,
and thus have 2 "internal" nets. One is (more-or-less) "trusted"; the
other is for "guests". The access points in the house reside on the
latter net. (And if we *ever* get the place straightened out enough,
and we can figure out appropriate evasive maneuvers for dealing with the
parking issue, if I were to host, say, a blw meeting here, I'd also
connect a hub or switch to that net for use by the attendees.)
Access to the trusted net from the guest net is via the same mechanism
as from the Internet: SSH. And the guest net does not permit 25/tcp
outbound.
>Either way, I would also want to set up something to provide
>authentication (NoCatAuth?) so only authorized users can use it.
I use a combination of:
* WEP
* Set the access points to not broadcast the SSID
* Only permit listed MAC addresses to connect
but even together, they only really constitute an "Authorized Personnel
Only" sign. (I figure that if it comes down to it, some one can
certainly connect without my authorization; claiming to have done so
accidentally will, however, strain the imagination somewhat.)
As far as I know -- and I do review various logs, including the logging
of DHCP requests, daily -- I have yet to have seen a problem. Then
again, the street in front of my house is not conducive to someone being
relatively inconspicuous while parked there, trying to hack my net. :-}
>I have very little spare time to mess with this, so I want something
>that can be set up easily. I also don't have the budget to be buying
>a lot of hardware.
If your existing firewall can accept another NIC, I suggest at least
considering the approach. (I expect that Linux could do this
reasonably, though I don't know from experience. I tend to be rather
more BSD-oriented.)
Peace,
david
--
David H. Wolfskill david at catwhisker.org
I do not "unsubscribe" from email "services" to which I have not explicitly
subscribed. Rather, I block spammers' access to SMTP servers I control,
and encourage others who are in a position to do so to do likewise.
More information about the Baylisa
mailing list