The only purpose an Access Point's IP address has is for administrative access. Thus, any traffic originating from it will not be from wireless users. If the AP were configured as a DHCP server and doing NAT, then traffic originating from its IP address would be coming from wireless users plus some administrative traffic from the router (responding to access to the AP's internal Web server).
The AP's "only" a bridge. So if you're intending to block traffic passing
through it, the place to set up the restrictions would be on the router.
For example, you could create a pool of IP addresses to be issued by the router's DHCP server for wireless clients, and place port restrictions on members of the pool - on the router. To avoid blocking your own use of the AP, you could assign static MAC-based IP addresses to your own wireless cards and other "inside" devices. Those addresses would be outside the range assigned by the router's DHCP server, and thus also outside the range of the port restriction lists.
The direction of the restrictions would generally be "outbound", since you intend to restrict access to "outside" SMTP servers and other external services.
Having spent quite some time experimenting, I would have to agree with your approach. I've assigned a block of IP addresses to the dHCP server, and now I'm trying to block as many ports as possible and still allow internet access.
Blocking ALL ports (except #80) doesn't work
my goal is to allow internet but not Kazaa, WinMx, or their kind.
What ports should I block to allow internet access but not allow the other stuff?
-Don
Another service you'll have to "let out" is DNS (TCP and UDP port 53). You might also want to permit HTTPS (TCP/443) so people can reach secure Web sites.
(edit) Oops, here's an obvious one - DHCP! The DHCP server listens on UDP/67, and replies to clients are to port UDP/68. Note though that the initial traffic is a broadcast, since the client doesn't yet have an IP address, nor does it know the IP address of the server. The initial reply to the "DHCPDISCOVER" message from the client is a "DHCPOFFER". It's also broadcast, since the client hasn't yet picked an IP address to use.
You might want to pick up a sniffer (
Ethereal's the one of choice!) and put it on a machine you're using to test in the restricted zone. That way, when something doesn't work, you can look at the network traffic that was generated and figure out what caused the problem.
jwatt
4.4K Posts
0
February 15th, 2004 15:00
The only purpose an Access Point's IP address has is for administrative access. Thus, any traffic originating from it will not be from wireless users. If the AP were configured as a DHCP server and doing NAT, then traffic originating from its IP address would be coming from wireless users plus some administrative traffic from the router (responding to access to the AP's internal Web server).
The AP's "only" a bridge. So if you're intending to block traffic passing through it, the place to set up the restrictions would be on the router.
For example, you could create a pool of IP addresses to be issued by the router's DHCP server for wireless clients, and place port restrictions on members of the pool - on the router. To avoid blocking your own use of the AP, you could assign static MAC-based IP addresses to your own wireless cards and other "inside" devices. Those addresses would be outside the range assigned by the router's DHCP server, and thus also outside the range of the port restriction lists.
The direction of the restrictions would generally be "outbound", since you intend to restrict access to "outside" SMTP servers and other external services.
Jim
dgbowen
2 Intern
•
168 Posts
0
February 16th, 2004 03:00
Blocking ALL ports (except #80) doesn't work
my goal is to allow internet but not Kazaa, WinMx, or their kind.
What ports should I block to allow internet access but not allow the other stuff?
-Don
johnallg
2 Intern
•
7.3K Posts
0
February 16th, 2004 03:00
dgbowen
2 Intern
•
168 Posts
0
February 16th, 2004 04:00
i'd like to learn how to secure that.
jwatt
4.4K Posts
0
February 16th, 2004 16:00
(edit) Oops, here's an obvious one - DHCP! The DHCP server listens on UDP/67, and replies to clients are to port UDP/68. Note though that the initial traffic is a broadcast, since the client doesn't yet have an IP address, nor does it know the IP address of the server. The initial reply to the "DHCPDISCOVER" message from the client is a "DHCPOFFER". It's also broadcast, since the client hasn't yet picked an IP address to use.
You might want to pick up a sniffer ( Ethereal's the one of choice!) and put it on a machine you're using to test in the restricted zone. That way, when something doesn't work, you can look at the network traffic that was generated and figure out what caused the problem.
Jim
Message Edited by jimw on 02-16-2004 01:34 PM