2012-02-20 - Re: [GRASE-Hotspot] Firewall recommendations

Header Data

From: Tim White <ti***8@gmail.com>
Message Hash: f9cbde5d82192bb9e3921922bb4b188be14f68d9f902cbec88ba63153c2d9a3d
Message ID: <4F42B118.6090605@gmail.com>
Reply To: <1329749109.19815.YahooMailNeo@web161404.mail.bf1.yahoo.com>
UTC Datetime: 2012-02-20 13:46:16 UTC
Raw Date: Tue, 21 Feb 2012 06:46:16 +1000

Raw message 

On 21/02/12 00:45, tim storey wrote:
> I run Grase via VirtualBox.
> Lately I've been having some recurring security issues and I was 
> wondering whether I should install something like pfsense (also in a 
> VM)...
> Does anyone have suggestions or noteworthy comments about this?

Can you give us some examples of what you want to do? Yes, by default 
your authenticated users can do a lot on the internet through the 
Hotspot. But it is very easy to lock down.
i.e. remove the following line from the bottom of ipup.sh `ipt -I 
POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE` and modify it to do what 
you want. So for example, if you only want a few protocols to be 
permitted, then create a line for each protocol/port.
i.e. for HTTPS and IMAPS
ipt -I POSTROUTING -t nat -o $HS_WANIF --dport 443 -j MASQUERADE
ipt -I POSTROUTING -t nat -o $HS_WANIF --dport 993 -j MASQUERADE

You should find that port 80 is taken care of by other rules.

Adding in something like pfsense can create more complexity than you may 
find beneficial. And if it also does NAT, then you may find you end up 
triple NATing your users.

Tim

Thread