[isf-wifidog] IPTables AuthServers is too loose, how can I tighten it up?

listserv.traffic at sloop.net listserv.traffic at sloop.net
Mar 21 Juil 12:33:13 EDT 2009 

I'm pretty sure the gateway conf file for wifidog will allow you to
block stuff pretty easily. (This only works if the GW is between the
wifi clients and the points/hosts you need protected - which in your
case appears to be the case.)

It's been a while since I looked at it, but I know there are
universal blocks, such as blocking port 25 all the time.

I'd assume that blocking CIFS for all wifi users might well be
appropriate.

I also recall there being sections to define rules for un-authed
clients etc, so I'm guessing there's somewhere you can fit in what
you need.

On openWRT IIRC the wifidog.conf file is in /etc/

Cheers,
Greg

> I am running the WifiDog that comes with DD-WRT v24-sp2. The WiFi router
> is connected to my private LAN (192.168.0.0/24) and thence to a ZyXel 
> ADSL router and so to the Internet. I want to block all access from the
> WiFi subnet (192.168.6.0/24) to the LAN with the exception of the Auth
> server on 192.168.0.16:8880 and the ZxXel gateway.

> The problem is that the IPTables created by WiFiDog have a group for 
> AuthServers as the first WiFiDog group and this allows unrestricted 
> access to the Auth server IP address, not just to the port providing the
> Auth services.

> As a result, even unknown users have unrestricted, e.g. CIFS, access to
> the server, which is in fact a Synology DS207+ NAS server with NFS and
> CIFS shares and other services that I don't want to make public.

> I could update the IPTables by hand, or by script after WiFiDog is 
> started , or by cron job to make sure they are not overwritten, but this
> seems like a bit of a kludge.

> Is there a way to get WiFiDog configuration to protect my server, or 
> should I raise a ticket for this exposure?

> Pete Shew


> __________ Information from ESET Smart Security, version of virus
> signature database 4262 (20090720) __________

> The message was checked by ESET Smart Security.

> http://www.eset.com


> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog



-- 
Best regards,
 listserv                            mailto:listserv.traffic at sloop.net

Plus d'informations sur la liste de diffusion WiFiDog