If it is open to all, make static IP assignments for the MAC addresses of the cards that are the network owner's. If he needs internal LAN access to a server, either put it in the DMZ or in local (Green) LAN and make DMZ pinholes for those MACs/IPs to get to the server IP. That prevents outside/free users from getting to the local server and network.
I'd also either make sure nocatauth is on IPCop or put it on there yourself. As I said before, it gives the Acceptable Use Policy for outside users. The first Internet hit they try will bounce them to the AUP.
If you want to filter Internet access, use Dan's Guardian. There is info on the IPCop page about adding it.
Good Luck
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jared Sent: Friday, February 10, 2006 5:28 AM
IPCOP it is. I neglected to mention that the wireless AP would be open access for all, including internal use. The picture below is roughly what I'll be doing.
I happen to have a spare 586 sitting around waiting for a Linux image, and IPCOP does both firewall and routing. Basically, for free, and that's the selling point.
Thanks to all for the help!
p.s. The KCLUG.NET address went very quickly.
-Jared
small network whose owner wants to make it available for web-browsing to anyone roaming the neighborhood via wireless. However, as best I know this gives access to the other computers on the network, and I'm curious to know if there is a way to expose a single computer to the world as a wireless server, without giving access to the rest of the network.
Internet to 5-port switch Switch to Wireless AP and a NAT/Firewall device NAT/Firewall to private network
solution #1:
Internet | +----------+ | Firewall | |----------| | FW | FW | +----------+ | | | | +----------+ | +------| Wireless | | +----------+ | +----------+ | LAN | +----------+
-
Kelsay, Brian - Kansas City, MO