[LAD] [ot] - NEED some security advise PLEASE! + new question

Fons Adriaensen fons at kokkinizita.net
Mon Feb 16 21:42:00 UTC 2009

Thanks to all who responded !

[ Steve Lindsay ]

> > I find shorewall is the nicest way to go about this sort of thing. You
> > write some fairly straightforward configuration files describing your
> > setup and what you want to achieve, and it handles all the iptables
> > configuration for you. Easy to setup, easy to maintain, easy to modify
> > when your requirements change (if you want to do some port forwarding
> > etc.).
> > 
> > http://www.shorewall.net

[ Fernando ]
> Second that, it's what we use. But I don't use it as a NAT gateway. 
> For an internal authenticated "guest" network for wired/wireless laptop
> access + NAT for outgoing stuff we use chillispot
> (http://www.chillispot.info/), you need two network interfaces and
> chillispot manages a dhcp server for the internal side and tunneling to
> go outside. Users see a "login screen" through any browser where they
> can enter their account name and password and then they are granted
> access to the network (I did use shorewall in the gateway machine to
> manage firewalling). In our own machines I set up a static route to the
> "internal" 192.x.x.x network so that laptops are reachable from our
> linux workstations. 

The situtation here is somewhat different - the
internal network *is* trusted. All the computers
are in a single room, most of them even in the
same rack, and it's not a multi-user scenario.
Strict rules will be applied for anything coming
in from the outside to the router, but these are
essentially the same that would be applied to any
single machine. 

I'll keep the higher level tools in mind for next
time. But since by now I've already learned to hack
iptables in order to accommodate some other special
requirements on the internal net, that's what I'm
going to do for the NAT as well - it's in fact a
lot simpler than what I imagined. 



Laboratorio di Acustica ed Elettroacustica
Parma, Italia

O tu, che porte, correndo si ?
E guerra e morte !

More information about the Linux-audio-dev mailing list