Tim Wilson wrote:
> On Wednesday 03 September 2003 01:34 pm, Scot Jenkins wrote:
> > don't most of those router/firewall things put the dmz port on the same
> > network as the rest of the boxes on your "inside" LAN?  If so, using the
> > dmz port would be a BAD idea.
> 
> You're probably right about that. I haven't tried it yet. The Linksys uses 
> 192.168.*.* for the internal network. I don't think it uses a different one 
> for the DMZ port. I think it just restricts traffic between them. Maybe 
> someone else on the list is more familiar with the setup. I plan to get more 
> familiar, but I haven't gotten that far with my network yet.

my guess all the switch ports are on the same network.  putting a box on
the dmz port is the same as putting one on your inside network.  the
only difference being that the dmz port doesn't get the benefits of the
"firewalling" the linksys box provides.  should be easy to test.  enable
the dmz port on the linksys, plug a couple boxes into the switch ports
on the linksys, let them all use dhcp to get their IP's and run ifconfig
on each to see what addresses they come up with.  let us know what you
find.

> > also the wireless AP, if it's going to be open to the world, should be
> > in a DMZ, a different network from your inside LAN.
> 
> What if I use WEP and all the other standard security measures? Would you 
> trust it on the internal LAN then? It's risky, I know, but I'd like to have 
> access to my internal network with the laptop if possible.

no I wouldn't, but I'm paranoid.  if you only run a closed wireless AP
(not open the the public), and restrict has access to it via MAC address
(which can still be spoofed), use ssh tunneling for services you need,
etc, you would probably be ok.  Probably the "right way" is to vpn from
your wireless laptop to the AP (assuming you can) and from there through 
your firewall and into your inside network.  sounds like a pain to setup 
but probably more secure.  personally I wouldn't allow direct access to my
inside network from any wireless device, but that's me.
-- 
scot

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list